Help with DNS Settings

[ptmy305]

I'm running opnsense version 24.1.2

I set DNS in: system->settings->general->DNS Servers to 9.9.9.9
I then set in DHCPv4 for my LAN interface in: service->ISC DHCPv4->LAN->ip of Pi-hole server

I can access the internet routing DNS requests through my pi-hole server without issues.  If I shut down the pi-hole server, I expected DNS access to revert to the general setting and send requests to 9.9.9.9.  But this didn't happen.  Instead, I'm unable to access the internet at all when the Pi-hole server is down.  I tried putting 9.9.9.9 after the pi-hole's ip address in service->ISC dhcpv4-LAN.  That didn't work either.

The behavior I want to setup is: use pi-hole as DNS if available.  If Pi-hole server is down, then use 9.9.9.9.  What's the proper way to do this?

[Patrick M. Hausen]

The behavior I want to setup is: use pi-hole as DNS if available.  If Pi-hole server is down, then use 9.9.9.9.  What's the proper way to do this?

There is no setup that achieves this. If you hand out more than one DNS server to a client's resolver library, it will always try them in round-robin or random fashion.

You can replace Pihole with the AdGuard Home plugin on OPNsense. If the firewall is down, external DNS won't work, either.

[gspannu]

The behavior I want to setup is: use pi-hole as DNS if available.  If Pi-hole server is down, then use 9.9.9.9.  What's the proper way to do this?

There is a way to achieve exactly this… Here is a brief tutorial.

1) Remove all DNS entries from your DHCP interfaces, leave these blank - so all your clients will just pick up the address of the router.

2) Disable Unbound [we will use dnsmasq instead]

3) System>Settings>General
DNS Servers:
<IP of Pi-Hole>
<1.1.1.1>
<8.8.8.8>
<or whatever DNS you wish to use>
The order is important as dnsmasq will use them in the sequence you have put them.
Since, PiHole is the first one, it will use that first and only if unavailable, use the next and so on…

Ensure that Allow DNS server list to be overridden by DHCP/PPP on WAN is DISABLED

4) A bit of manual editing of files.
ssh into OPNsense:
Create a configuration file in the /usr/local/etc/dnsmasq.conf.d folder
e.g. sudo nano usr/local/etc/dnsmasq.conf.d/99-pihole.conf
Add the below 3 lines to the file and save the file

Code: [Select]

add-mac
add-subnet=32
strict-order
5) Go back to OPNsense GUI

7) Go to Services > dnsmasq
Enable dnsmasq…

And you should have your expected behaviour…

To test it… send a few queries from your clients; and you should see the logs in PiHole. Turn off PiHole and you should see that clients can still resolve all queries.

[Patrick M. Hausen]

That's interesting and thanks for the write-up. But if you use your OPNsense as the central "DNS query dispatcher", why not run AGH on the firewall and have a way simpler setup?

[ptmy305]

To gspannu:  Thank you.  I'll give that a try tonight.

To Patrick Hausen:  Just to make sure I understand your reply and also to get a better understanding of how DNS works in opnsense, I have a couple of follow-up questions:

1) in Service->ISC DHCPv4->LAN->DNS Servers, if I set pi-hole's ip address on the first line, followed by 9.9.9.9 on the 2nd line, why wouldn't DHCP clients go to pihole first, and if pi-hole is unavailable, go to Quad 9?

2) If I leave both DNS and Gateway blank in the DHCPv4 area, would DHCP clients automatically go to opnsense and pick up the DNS setting from System->Settings->general?  If yes, and if I set pi-hole as the 1st DNS address and 9.9.9.9 as the 2nd there, would the client first use pihole, and if not available use 9.9.9.9?

[gspannu]

That's interesting and thanks for the write-up. But if you use your OPNsense as the central "DNS query dispatcher", why not run AGH on the firewall and have a way simpler setup?

Different people run different systems, to each their own.

I have run PiHole separately, used Unbound ad-blocking, also AGH on the OPNsesne router… and my current setup is running Blocky DNS on the OPNsense router itself.
I found that Blocky DNS gave me a lot more control of the pre-fetch cache and now my query resolution is really quick.

Just finished writing a plugin for Blocky DNS…

[gspannu]

A quick related question…

Is there any way to get Unbound to use strict-order (i.e. use the DNS servers in the order specified rather than round-robin).

I know that dnsmasq has this feature (strict-order) but is there any way to configure Unbound to have the same behaviour?