PiHole Best setup?

[N0_Klu3]

Hi guys,

I'm looking for a guide on how to setup PiHole the best way for a home with 3 networks, LAN, IOT, Guest.

There are many guides and some conflict each other with the settings they choose.
Is there a best way to set this up?
Can someone help me with the best settings?

[gpb]

I would say the "best way" is to make it work like you want it to in your environment.  Lots of variables.  Are you using both ipv4 and ipv6?  Where does the pihole exist and what security do you need/desire for the different hosts and vlans?  Do you want nat rules to reroute dns requests heading outbound bypassing pihole?  There's so many things you can do, I don't think there's a best way.  You might try one of the guides and see what issues you run into, there's plenty out there.

[N0_Klu3]

Thanks bud.
1) I'd like to create a rule so that all DNS goes through Pihole.
2) Pihole is on my Lan as 10.0.0.250
3) I have IPv6 enabled on my WAN (Zen UK) but not really using it on my LAN/internal networks

The lots of variables is what has me stumped. I'm looking for the cleanest/best way to use Pihole on my network with OPNSense.
I currently have it setup for LAN/IOT/Guest to use DHCPv4 DNS 10.0.0.250.
On Pihole I have DNS set to custom 1 Upstream DNS Servers set to 10.0.0.1 (OPNSense) only, no other DNS.
In System: Settings: General I have DNS servers set to 1.1.1.1 and 1.0.0.1

This is my Unbound DNS


I havent set any rules yet to redirect all dns requests. Just wanna make sure I got a good stable and proper setup firstly.

[gpb]

Here I have pihole configured to use cloudflare via DoH so it's a direct outbound request, not via OPNsense DNS.  Info here:
https://docs.pi-hole.net/guides/dns-over-https/

The solution of routing port 53 requests NOT originating from pihole was discussed a couple weeks ago here (last post summarizes a solution):
https://forum.opnsense.org/index.php?topic=18834.0

Also, cloudflare has 1.1.1.2 and 1.0.0.2 servers that filter known malware sites.  See here, half way down the page if interested:
https://blog.cloudflare.com/introducing-1-1-1-1-for-families/

[N0_Klu3]

Thanks what is your PiHole setup?
Do you have Upstream DNS Servers set to your router?
in unbound, do you have it enabled if you're using pihole for DNS itself?

[gpb]

Pihole here does all DNS requests.  I route requests from pihole via HTTPS (encrypted) direct to cloudflare (via local cloudflared daemon...previously linked).  I use unbound on OPNsense only for resolving local host names.  So I have forwarding mode unchecked.  In services, dhcpv4 I have my piholes defined as dns, in radvd I have the same pihole ipv6 addresses specified (only for LAN, not VLANs...VLANs don't have ipv6 enabled here).

[N0_Klu3]

Just followed that install for cloudflare DoH thanks!
Lets see how I get on. Really very much appreciate your help

[littlepepper]

I use unbound + stubby on my pihole because as much as I like Cloudflare but I don't trust it 100%. Stubby is in the linux repository, so update is easier vs dns crypt or cloudflared. I have setup Unbound does DOH, stubby does DOT.

Remember once you have setup the pihole add the !pihole ip to your NAT redirection.