dns-redirection with pihole and resolver

[parker_lewis]

Hi there,

Whats the aim?
I'd like to redirect all dns traffic to 1) pi hole and 2) back to unbound resolver on opnsense. there are reason for not using unblock dns blocking...

the whole lan is 192.168.2.0/26
pi hole is 192.168.2.58
unbound/opnsense is 192.168.2.1.

After reading and trying almost every tutorial..., help! i'm lost in configuration and ending up mostly:
No change, other dns servers are reachable.
No other dns server is reachable, but NO redirection oder client -> pihole working [broken way to] unbound.

In my understanding the way should be:

NAT -> port forwarding:
LAN DNS to 192.168.2.58 (pi hole)
pi hole to unbound (192.168.2.1)

firewall outblock outgoing blockrule für any 53 but for 192.168.2.1

but how should to rule look like? i also tried to bring unbound on port 5353 but dns was also broke... :'(

thanks for your help,
chris

[CJ]

Post your port forward and firewall rules.  Did you add an exception to the port forward for the pihole?

Why are you blocking 53 if you're forwarding it to the pihole?

[9axqe]

I have set this up with adguard home, although in my case ADH is running on the opnsense itself. It works fine, but only since 23.7, before the redirect would not overwrite the source IP: computer sends DNS lookup to 1.1.1.1 for example, answer came back from 192.168.1.1 for example, hence computer would ignore it and DNS was broken. I am on 23.7.3 now and it works fine.

Firewall rule, on LAN interface:
Block source IP !firewall (this means "anything but opnsense"), any source port, IPv4 and IPv6, to any IP, destination port 53 UDP and TCP.
Block source IP !192.168.2.58 (this means "anything but pihole"), any source port, IPv4 and IPv6, to any IP, destination port 5353 UDP and TCP.

For redirect, it's simple:
LAN intf, from any IP, from any port, IPv4, dest IP !LAN_address (not your LAN subnet), any dest port, redirect to 192.168.2.58.
Maybe the same again for IPv6 if you use IPv6.