OPNsense + Pi-Hole Questions

Started by mrniceguy, March 17, 2020, 12:08:53 AM

Previous topic - Next topic
Config -

Under System > Settings > General I have one DNS server, 10.10.10.15 (Pi-Hole)

Unbound is enabled, and everything else is default. Pi-Hole is acting as my DNS  and DHCP server and forwarding queries to Cloudflare. All devices on my network are given 10.10.10.15 as their only DNS server. However, when I perform an NSLOOKUP on say, opnsense.org, the answer is received from OPNsense. According to the Pi-Hole dashboard, it is constantly getting queries from my devices. But shouldn't the answer be from Pi-Hole and not OPNsense? I want EVERYTHING on my network to use Pi-Hole for DNS.

Also, on my old UBNT EdgeRouter setup I had a NAT rule that that captured all DNS (53/udp) traffic and forced it to go through Pi-Hole. I'm totally new to OPNsense and even pfSense at that so I'm a little confused on how to make this work. I tried creating my own NAT rule, but I have no idea if it worked.


You have to leave DNS blank in System - General (blank or you can choose upstream DNS like Cloudfare).
You have to setup pi-hole under services - dhcp - dns (pi-hole is under LAN services).
Follow this https://homenetworkguy.com/how-to/configure-dns-opnsense-pihole/


Quote from: allebone on March 17, 2020, 06:33:50 PM
Try this?
https://forum.opnsense.org/index.php?topic=9245.0

That won't work, firewall rules for DNS request on port 53 has to go trough pi-hole, not the firewall itself.

I have mine setup a little different with pi-hole.

I use the router DHCP.  The DNS for the clients is set to the pi-hole address.  Pi-holes upstream DNS is set to the router, and the routers upstream DNS is set to whatever (1.1.1.1 in my case).  So client -> pi-hole -> router -> external DNS.

On pi-hole, go to settings and check "Use conditional forwarding" and enter your router address and domain name.

All of the clients use pi-hole for DNS.  Pi-hole is able to resolve local names and it resolves DNS via the router (Unbound by default).

What I haven't figured out is how to forward external DNS requests to pi-hole.  i.e., Some devices like Chromecast will also use Google DNS (even though DHCP specifies a different server).  I can't seem to setup a port forwarding rule to forward requests to 8.8.8.8 to pi-hole.  I can only get that to work by forwarding to the router (per that link posted earlier).


Quote from: tracyboehrer on March 19, 2020, 02:30:13 PM
What I haven't figured out is how to forward external DNS requests to pi-hole.  i.e., Some devices like Chromecast will also use Google DNS (even though DHCP specifies a different server).  I can't seem to setup a port forwarding rule to forward requests to 8.8.8.8 to pi-hole.  I can only get that to work by forwarding to the router (per that link posted earlier).

You can obtain your goal by creating a hairpin on the Outbound NAT.

Interface: LAN
Source: !<Pihole IP> (mind the exclamation mark) or even narrow it down to only your chromecast source IP
Source port: *
Destination: <Pihole IP> (mind the missing exclamation mark)
Destination port: 53
NAT Address: Interface address
Nat port: *
Static port: NO
Description: DNS Hairpin


Quote from: Northguy on March 19, 2020, 03:09:21 PM
Quote from: tracyboehrer on March 19, 2020, 02:30:13 PM
What I haven't figured out is how to forward external DNS requests to pi-hole.  i.e., Some devices like Chromecast will also use Google DNS (even though DHCP specifies a different server).  I can't seem to setup a port forwarding rule to forward requests to 8.8.8.8 to pi-hole.  I can only get that to work by forwarding to the router (per that link posted earlier).

You can obtain your goal by creating a hairpin on the Outbound NAT.

Interface: LAN
Source: !<Pihole IP> (mind the exclamation mark) or even narrow it down to only your chromecast source IP
Source port: *
Destination: <Pihole IP> (mind the missing exclamation mark)
Destination port: 53
NAT Address: Interface address
Nat port: *
Static port: NO
Description: DNS Hairpin

I tried to configure hairpin DNS in this way but it doesn't accept the entry "!<pi-hole ip address>" with exclamation mark...

You tick the  Source / Invert  box to create a ! (ie NOT this IP listed).

Could someone give me a screen shot of how you have the rule setup? I am having issues getting it to work.

Quote from: spetrillo on August 13, 2020, 04:24:14 PM
Could someone give me a screen shot of how you have the rule setup? I am having issues getting it to work.
Also for me... don't know if I've done everything right.

Could someone comment on the attached and let me know if I set the rule up properly?