[SOLVED] Clean install and new to OPNSense: DNS releated question

[hakuna]

Hi guys,

I am very happy to have this piece of the art running on my network but I have a few questions driving me nuts.

• DNS: I have 2x RP4 running Pi-Hole + Unbound recursive DNS and I wanna keep that way as it is easier to connect a backup router and voila. The only way to make it to work is by adding my router IP address under Pi-Hole DNS Upstream. I have no guarantee that things are indeed being passed to Pi-Hole. The logs are alive but who knows?
• Why can't I just have both Pi-Hole doing its thing without having OPNSense Unbound?
• I did set the DHCP to use both Pi-Hole as DNS but again, who knows??
• System > Settings > General has both Pi-Hole there. If I understood it right, OPNSense will forward any 53 to them. Why this loop??? DNS goes to Pi-Hole, then it's forwarded to OPNSense which then forward to Pi-Hole again. WTF  :o
• If I set OPNSense Unbound to disable, I cannot go out. Why?? If both Pi-Hole is set OPNSense with the gateway
• Xbox: My biggest issue, I cannot play!!! Reading some blogs, I need to give it a static lease, then create a Firewall outbound rule. But it does not allow me to add a single IP Address, only the whole network and I get NAT strict on Xbox. At least I can play but this does seem secure since any device within the private network can call whatever it wants. I need to find a solution for this ASAP. Gaming is like religion  :)

Once I have this solved, I need to jump to IoT with DNS hardcoded. My TV has Google DNS hardcoded and I only found out thanks to Sensei.

Thank you so much guys for any help :)

[allebone]

Why dont you set pihole to use 1.1.1.1 as a forwarder instead of your opnsense firewall and ensure pihole machine is allowed out to 1.1.1.1 on port 53?

[hakuna]

Pi-Hole is running recursive DNS. I don't need to use a third upstream for that.
No Google, no OpnDNS, no IBM. It calls all 13 root nameservers and that is it.

I just wanna make them the only DNS server on my network as they were before running OPNSense.
Just like I do with OpenWRT for example. No DNS should be redirected to nowhere else.

[Greelan]

I have a similar setup. Pihole and unbound running on a separate box, with unbound configured as a recursive resolver.

In my case I have put the pihole/unbound box IP (v4 and v6) under System/Settings/General, and checked the box to disable the local DNS as a nameserver. But I don't have unbound or any other resolver running on OPNsense anyway. I have also disabled DNS rebinding protection on OPNsense as that was preventing local name resolution from pihole (unbound itself gives me that protection for external resolution). And I have made sure I have firewall rules to allow all VLANs to reach the pihole/unbound box.

That's it, and it works.

Configured this way OPNsense passes out the pihole/unbound IPs as DNS nameservers, via DHCP for IPv4 and (in my case) RA/RDNSS for IPv6, to all local clients. No need to configure anything specifically for those services as they pick up the system setting if nothing specific is configured.

[hakuna]

I have a similar setup. Pihole and unbound running on a separate box, with unbound configured as a recursive resolver.

In my case I have put the pihole/unbound box IP (v4 and v6) under System/Settings/General, and checked the box to disable the local DNS as a nameserver. But I don't have unbound or any other resolver running on OPNsense anyway. I have also disabled DNS rebinding protection on OPNsense as that was preventing local name resolution from pihole (unbound itself gives me that protection for external resolution). And I have made sure I have firewall rules to allow all VLANs to reach the pihole/unbound box.

That's it, and it works.

Configured this way OPNsense passes out the pihole/unbound IPs as DNS nameservers, via DHCP for IPv4 and (in my case) RA/RDNSS for IPv6, to all local clients. No need to configure anything specifically for those services as they pick up the system setting if nothing specific is configured.

You are a saviour  8)
I did follow your steps but I still without internet.
Then I realised, my routers use 192.168.1.1 and I did set OPNSense 192.168.1.2 to reduce the downtime if things don't work.
Then I also realised my Pi-Holes gateway set as 192.168.1.1.
That is why they would only work after adding OPNSense as Upstream.

Man, I am feeling so damn stupid right now.

Now, I just need to test my Xbox again, it should work now. I could not even log in yesterday haha
Otherwise, I still have a big problem.

Thank you so much for the help, you made me realise the problem was in front of the keyboard  ;D

[Greelan]

Hehe [emoji23]

[hakuna]

Problem solved.

My Pi-Holes are the only DNS server, everything trying to bypass it is blocked by the firewall and redirected to Pi-Hole, including DNS-over-HTTPS and DNS-over-TLS.

I got OPEN Nat on my Xbox without having UPnP installed.

[chemlud]

... everything trying to bypass it is blocked by the firewall and redirected to Pi-Hole, including DNS-over-HTTPS

Hmmm, how do you achieve this?

[Greelan]

Lol, I was thinking the same thing

[allebone]

Probably by using sensei. You can tick the option I think that sensei maintains a blocklist of doh ip addresses and ports.

[AhnHEL]

https://labzilla.io/blog/force-dns-pihole

[Greelan]

Not perfect - relies on the DNS server list being comprehensive - but better than nothing I guess

[hakuna]

I don't know how to tag a user here lol

For those who asked, I followed this page: https://labzilla.io/blog/force-dns-pihole

Everything is working like a charm, well, only my smart TV is being a pain in the ass and still somehow able to bypass the firewall.

[hakuna]

Not perfect - relies on the DNS server list being comprehensive - but better than nothing I guess

If you don't mind me asking, which approach are you using to deal with this problem?
Thanks

[Greelan]

No problem. I don't do anything at the moment - that is something on my list! The guide you linked looks useful, so thanks.

My comment was just an observation that with DOH necessarily the solution is only as good as the DNS list.