how to use pihole as upstrem DNS w/o losing client info

Started by tessus, August 06, 2025, 12:04:30 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 06, 2025, 12:04:30 AM
I am currently using a pihole that my clients use directly (DNS assigned via DHCP or set statically). To get the internal DNS names (ISC DHCP and Unbound), I've setup conditional forwarding on my pihole. This works nicely, but in certain situations a loop might occur, although I was able to configure it in a way that this almost never happens.

I really would like to change the setup (to mitigate possible DNS loops and simplify the architecture) in such a way that all my clients use OPNsense's DNS and my pihole is then used as the upsteam server (System -> Settings -> General).

However, this makes all requests appear to be coming from OPNsense's IP address(es). This is a serious problem, because pihole's group and client group management no longer works. (For people who are not familiar with pihole: this basically means that I cannot create rules (blocking/allowing DNS requests) based on clients. e.g. I have blocked FB and other social media, but I allow it for my friend's laptop and cellphone.)

I am just wondering how people are using pihole in their home environment with OPNsense? Is there maybe a hidden flag, so that client IPs are forwarded (similar to forwarding real IPs in reverse-proxy setups)?
August 06, 2025, 12:27:58 AM #1
You can run AdGuard Home directly on OPNsense which can apply pretty much the same granular policies as Pihole. And save one extra device and some electricity, possibly.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
August 06, 2025, 12:43:48 AM #2
Interesting proposal. I have never used AdGuard Home and have to do some research about how to transfer my pihole setup (the client groups). Creating them manually in AdGuard Home might be quite taxing (but is something I would still consider).
My pihole (which is actually a keepalived cluster) would still be running either way, because I am using those 2 Pis also for an active-active LDAP cluster. Thus I wouldn't be saving any electricity, but the architecture would be less complex, which is always a plus.

However, I am not quite sure how AdGuard ties into the OPNsense upstream. If OPNsense forwards to AdGuard, its the same issue as with pihole (client ips are masked). If AdGuard forwards internal requests to OPNsense's DNS, its also the same as conditional forwarding on pihole. I have to read up on it. Currently I have no idea how this works.

Thanks again for the idea. I will certainly check it out.
August 06, 2025, 07:00:43 PM #3 Last Edit: August 06, 2025, 07:11:28 PM by coffeecup25
I have used pihole and currently use Adguard Home.

For pihole, I had a plainly set-up router and pointed the DNS server on the DHCP page at the pihole server. Pihole had the actual DNS servers noted in its configuration. This is also how you set up a retail router. It should work perfectly the first time as long as your PC or other device is rebooted or you use ipconfig to reset the DNS servers it uses. Adguard Home for Windows would set up the same way.

You made it sound like you have other changes in your router. Pihole only needs a simple config to work.

Adguard Home on OPNsense  is a little tricky to set up with respect to the DNS port coordination between Adguard Home and unbound. Set unbound to listen to port 5353. Adguard Home set up to listen to port 53. Point Adguard Home DNS server to your router (assume 192.168.1.1:5353) if unbound is changed to listen to 5353. Change Unbound to 5353 BEFORE configuring Adguard Home, otherwise they will fight each other and AdguardHome.yaml is a pain to edit.

pihole and Adguard Home both show client ip clearly in their logs. I didn't understand the ancillary setup you did on the routers. That might be causing the problem.

Not all internet instructions are good. Watch a few before picking the one you want.
August 06, 2025, 07:10:51 PM #4
Quote from: tessus on August 06, 2025, 12:43:48 AMHowever, I am not quite sure how AdGuard ties into the OPNsense upstream. If OPNsense forwards to AdGuard, its the same issue as with pihole (client ips are masked). If AdGuard forwards internal requests to OPNsense's DNS, its also the same as conditional forwarding on pihole. I have to read up on it. Currently I have no idea how this works.

You bind AGH to your OPNsense's interfaces, port 53 and Unbound to e.g. 53530. Then have AGH forward to Unbound. Full client visibility in AGH, filtering in AGH, local domains in Unbound, recursion in Unbound.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
August 06, 2025, 09:35:12 PM #5 Last Edit: August 06, 2025, 09:39:14 PM by tessus
Thank you. I have also read up on that topic, but there are a few drawbacks. I would have to activate a community repo to install the AdGuard plugin. Then there is the fact that local queries are also forwarded to Unbound, so it is the same flow as my current architecture. The only difference being both services running on the same machine. As mentioned in my first post, I rather want to use local address resolution first and then use pihole/adguard/whatever as upstream. But this is apparently only possible, if one accepts that conditional blocking won't work upstream since all requests will come from the same IP.
Additionally the configuration of AdGuard is not done via the OPNsense UI, so I also have to use a separate UI for it as it is with pihole.

I do not see any advantage moving to this architecture over sticking with my current setup (other than having the services on a single box). In fact using NAT to redirect all DNS requsts of clients, which try to use another DNS, to my pihole is easier, because I only have to create one rule instead of one for each VLAN or DHCP interface.

I've also learned of the possibility to add blocklists to Unbound, but then there is no way to whitelist domains for specific clients. Otherwise I could have dropped pihole/Adguard altogether and just used Unbound.

Maybe this is off-topic, but I think it's related or at least touches DNS: While reading the documentation I've noticed a few confusing and in my opinion wrong statements. There is an important message box that states the following: Domain overrides has been superseded by Query Forwarding.
Hmmm, what? I use domain overrides to add custom DNS records and aliases. This cannot be done via query forwarding. With that the above statement is false. You cannot supersede something, if the new thing does something completely different. This makes no sense.
August 06, 2025, 09:49:39 PM #6 Last Edit: August 06, 2025, 09:52:21 PM by coffeecup25
Quote from: tessus on August 06, 2025, 09:35:12 PMThank you. I have also read up on that topic, but there are a few drawbacks. I would have to activate a community repo to install the AdGuard plugin. Then there is the fact that local queries are also forwarded to Unbound, so it is the same flow as my current architecture. The only difference being both services running on the same machine. As mentioned in my first post, I rather want to use local address resolution first and then use pihole/adguard/whatever as upstream. But this is apparently only possible, if one accepts that conditional blocking won't work upstream since all requests will come from the same IP.
Additionally the configuration of AdGuard is not done via the OPNsense UI, so I also have to use a separate UI for it as it is with pihole.

I do not see any advantage moving to this architecture over sticking with my current setup (other than having the services on a single box). In fact using NAT to redirect all DNS requsts of clients, which try to use another DNS, to my pihole is easier, because I only have to create one rule instead of one for each VLAN or DHCP interface.

I've also learned of the possibility to add blocklists to Unbound, but then there is no way to whitelist domains for specific clients. Otherwise I could have dropped pihole/Adguard altogether and just used Unbound.

Maybe this is off-topic, but I think it's related or at least touches DNS: While reading the documentation I've noticed a few confusing and in my opinion wrong statements. There is an important message box that states the following: Domain overrides has been superseded by Query Forwarding.
Hmmm, what? I use domain overrides to add custom DNS records and aliases. This cannot be done via query forwarding. With that the above statement is false. You cannot supersede something, if the new thing does something completely different. This makes no sense.


You are greatly overcomplicating a rather simple situation. Installing Adguard Home into OPNsense is a little complicated with regards to coordinating DNS ports. It is exceptionally simple to use any router software or retail router in conjunction with separate pihole or Adguard Home servers in the same LAN. Local ip addresses tag along by default.

Best Wishes.
Print
Go Up Pages1
User actions