PfSense DNS Resolver with PiHole DNS forwarder for network-wide ad-blocking


DNS Resolver vs DNS Forwarder

DNS Forwarders do exactly what they say on the tin, they forward the request to another DNS resolver or forwarder.

  • Who has google.com? -> 1.1.1.1
  • 1.1.1.1 -> google.com is at 216.58.213.110

DNS Resolvers are different, they talk to the root DNS servers, looking for the name servers for the TLD then traverse down the hierarchy, to take the example from the netgate forum:

  • Hey root servers who is NS for .com
  • Hey .com NS who is NS for domain.com
  • Hey domain.com NS what is IP of www.domain.com

Running your own DNS Resolver gives you much more control of your DNS and you can use DNSSEC to validate requests.

Why PfSense and PiHole?

PiHole enables network-wide DNS blocking, and is an incredible ad-blocker. It is possible to setup PiHole with a local Unbound resolver running on the same host, but I wanted to keep these services separate.

PfSense Resolver Setup

This guide will step through setting up PfSense as a DNS Resolver (with Unbound), with PiHole as the network DNS Server, forwarding requests to the PfSense DNS Resolver. Additionally, it will also enable the resolution of hostnames for your localdomain. It assumes you already have PiHole and PfSense setup.

PfSense

First, lets set up the domain name in general settings, then enable the DNS resolver:

System -> General

  • Hostname of router: pfsense
  • Domain : ma.ax

Services -> DNS Resolver -> General Settings

  • Enable DNS Resolver
  • Network interfaces: LAN, LAN IPv6, Localhost (Not WAN, we don’t want an open resolver)
  • Outgoing Network Interfaces: WAN
  • DHCP Registration: True
  • Static DHCP: True
  • OpenVPN Clients: True (Not required if you’re not using OpenVPN)

Next steps are optional, but they will improve your general DNS security. I’d recommend reading up on these settings before changing them, they’re quite interesting.

Services -> DNS Resolver -> Advanced Settings

  • Query Name Minimization : True - Info
  • Prefetch Support : True
  • Prefetch DNS Key Support : True
  • Harden DNSSEC Data : True
  • Message Cache Size : 10M
  • Unwanted Reply Threshold : 10 million
  • Experimental Bit 0x20 Support : True - Info

PiHole

Time to change some PiHole settings and set the upstream DNS servers to be PfSense.

Settings -> DNS

  • Upstream DNS servers
    • Custom 1 (IPv4) : 10.0.0.1
    • Custom 3 (IPv6) : {router IPv6} (if you’re using IPv6)

PfSense

Next, change the DNS servers for the general setup and the LAN interface.

System -> General Setup

  • DNS Servers : 10.0.0.3 (PiHole IP) Services -> DHCP Server -> LAN
  • Servers -> DNS Servers : 10.0.0.3
  • Other Options -> Domain name : ma.ax

To get hostnames registered into the DNS server, we need to try and force new DHCP leases by bringing the network down and back up. The simplest way is to reboot the router (or unplug and replug the LAN interface).

  • Diagnostics -> Reboot

PiHole

Finally, we need to set up the HTTP server on the PiHole to correctly accept HTTP requests from the new hostname.domain. If we try and resolve the hostname.domain (in my case pihole.ma.ax) it fails with this message:

PiHole Error

So, we need to edit the lighthttpd settings to change the host:

sudo nano /etc/lighttpd/external.conf
$HTTP["host"] == "pihole.ma.ax" {
    server.document-root = "/var/www/html/admin/"
}

pihole.ma.ax

And we’re done!

Related

Setting up a Greylog server for central logging with Ansible

Learning how to use Ansible through setting up a Graylog server for centralised syslogging.

Proxmox Setup v2 - moving root onto an SSD and away from the ZFS array

Moving away from ZFS on root, and using it for the HDD array.

Proxmox host migration; new Home Server day

A workbook of migrating Proxmox to a new host for the first time.

Migrating Docker from Digital Ocean to home

Moving my docker containers to a new host at home.

Setting up a VLAN with PfSence

A quick introduction to setting up VLANs with PfSence for a guest network.

Simulating Spin-Echo Metabolite NMR / MR Spectra with PyGamma (VeSPA)

How to simulate MR metabolite spectra with PyGamma, including binning and plotting.

Converting a BBC Micro keyboard to USB with an Arduino Micro (ATmega 32U4)

Using an Arduino to turn a BBC Micro keyboard to be USB compatible.