How to properly forward DNS from OPNsense to Pi-hole (due to guest network limit

[Lil-cyb]

Hello everyone,

Until now, I've been using Pi-hole as the DNS server on my network, and my DHCP configuration in OPNsense was set to provide Pi-hole's IP (192.168.173.2) as the DNS server to all clients.

However, I now want to change this setup because of a limitation with my access points: when guest network mode is enabled, clients can only communicate with the default gateway (192.168.173.1). This prevents them from reaching Pi-hole directly.

Because of this, I'd like to make OPNsense (192.168.173.1) the DNS server for all clients, while still having all DNS queries be filtered and processed by Pi-hole. So essentially, OPNsense should act as the DNS server but forward all queries to Pi-hole internally.

What's the proper way to configure this in OPNsense?
Additionally, do I need to change anything on the Pi-hole side to support this configuration?

Thanks in advance for your help!

[EricPerl]

With unbound set as DNS service, it should be as simple as specifying the pi-hole IP in query forwarding.

[klinebau]

I use pihole as my primary dns servers for clients with unbound on OPNsense set as the upstream dns server on pihole.  The advantage of this setup is that you get local host resolution since OPNsense is able to get that from the DHCP server (ISC or dnsmasq).

EDIT:  After reading more carefully, I see that you can't reach the pihole directly.  If the default gateway is OPNsense, then maybe you can port forward those DNS requests to pihole.  I am also doing that to force all DNS to pihole.

[EricPerl]

The port forward forces every client to use Pi-hole, which was not really part of the OP.

When DNS is indicated to clients via DHCP, it's merely a suggestion. They are free to use something else if they know better.
When not specifying ax explicit DNS server, DHCP points DNS to the GW.

[undistio]

Services --> Unbound DNS --> Query Forwarding --> [ + ]
Server IP: YOUR PI-HOLE IP

Then let clients get the OPNSense Firewall (default) IP for DNS Server.

With this setup, clients will use Unbound on OPNSense for DNS, and Unbound will forward DNS requests to the Pi-Hole.

----
For an alternative, more advanced setup:

Firewall --> NAT --> Port Forward --> [ + ]

Interface: Guest_Network
TCP/IP Version: IPv4 (or "IPv6" - if required - make separate rules)
Protocol: TCP/UDP
Destination: This Firewall (or "any" - if you want to also catch  and redirect client attempts to use other, unauthorized internet DNS servers)
Destination port range: DNS - DNS (or use an alias for ports 53 and 853 to include DNS over TLS)
Redirect target IP: YOUR PI-HOLE IP
Redirect target port: DNS (or use an alias for ports 53 and 853 to include DNS over TLS)
Filter rule association: Add associated filter rule

If the Pi-Hole is on the same subnet, also select:
Source [Aadvanced]
Source / Invert: [CHECK]
Source: YOUR PI-HOLE IP
in order prevent outbound requests from the Pi-Hole getting redirected to itself.

Then let clients get the OPNSense Firewall (default) IP for DNS Server.
All DNS traffic should now bypass OPNSense (Unbound) and get NATed to the Pi-Hole.

I would use this setup and have the Pi-Hole forward requests for my local domain to OPNSense.

The advantage of doing it this way is being able to have a different set-up for different subnets. e.g. I could make traffic on my VPN subnet contact a different Pi-Hole that also uses the VPN to prevent VPN DNS Leaks while also maintaining local name resolution and Pi-Hole Ad-Blocking.

----

If you want to go for the first option while also preventing client attempts to use other, unauthorized internet DNS servers, make the NAT rule above but use:
Destination: any
Redirect target IP: 127.0.0.1 (or ::1 for IPv6)

[Lil-cyb]

Services --> Unbound DNS --> Query Forwarding --> [ + ]
Server IP: YOUR PI-HOLE IP

Then let clients get the OPNSense Firewall (default) IP for DNS Server.

With this setup, clients will use Unbound on OPNSense for DNS, and Unbound will forward DNS requests to the Pi-Hole.

Hi everyone, thanks so much for all the suggestions! Special shout-out to undistio, your Unbound query-forwarding walkthrough got me 99% of the way there.

What I've done

* Enabled Unbound on OPNsense and set it to forwarding mode, pointing at my Pi-hole (192.168.173.2).
* DHCP now hands out 192.168.173.1 for DNS, and almost every lookup goes through Pi-hole exactly as expected.

Screenshot 1:


---

The one hiccup
When I try to resolve a host defined under Local DNS Records in Pi-hole (e.g. pve-home.com), Unbound answers "no such name" before ever forwarding the query. If I manually add a Domain Override in Unbound to point pve-home.com, it works but I'd really prefer to keep all of my DNS logic inside Pi-hole itself, instead of maintaining overrides in OPNsense. I cant access pi.hole too.

Screenshot 2:


---

My question
Is there a cleaner way to have Unbound always send Pi-hole's Local DNS Records through (instead of returning NXDOMAIN)? Or any other approach that keeps local host definitions entirely within Pi-hole?

Thanks again to everyone who chimed in! Any pointers would be hugely appreciated.

[EricPerl]

How does Unbound even know about pve-home.com? Did you specify it in private domains?

[Lil-cyb]

How does Unbound even know about pve-home.com? Did you specify it in private domains?

I do have pve-home.com and even www.pve-home.com defined under Settings → DNS → Local DNS Records in Pi-hole. When I run:

nslookup pve-home.com 192.168.173.1 (OPNSense)

against OPNsense's Unbound resolver, it still returns NXDOMAIN, Unbound never forwards that query to Pi-hole by default. However, if I point the query directly at Pi-hole:

nslookup pve-home.com 192.168.173.2


I immediately get the correct IP back.

I know I could add a Domain Override in Unbound for pve-home.com, but I'd really prefer to keep all of my DNS record management inside Pi-hole. Is there a way to tell Unbound to forward that zone (or better yet, all queries) straight to Pi-hole without per-domain overrides?