Setup Pihole To Work With Pfsense

pfsensepfsense

Overview

note
  • I'm assuming you already setup Pihole in either:
  • I'm assuming you already setup Pfsense in either:
    • Bare Hardware Instructions
    • Netgate appliance (it's preconfigured for Pfsense from the start)

How to configure Pihole, to send traffic to Pfsense

  • Pihole, Dashboard, Settings, DNS tab

First setting

  • In Upstream DNS, disable all
    • Reason for disabling is because Pfsense will be doing this job now

Second setting

  • Enable Custom 1 (IPv4)
    • Type: 192.168.1.1 (IP of my pfsense)

Third setting

  • Under Interface listening behavior
    • Select: Listen only on interface ens160
    • Caution: If you set Listen on all interfaces, your Pihole won't work.

Fourth setting

  • Enable Use Conditional Forwarding
    • IP of your Router: 192.168.1.1 (which is the IP of pfsense)
      • This helps Pihole to show hostnames instead of IPs.
    • Local Domain Name: mylocal (which we setup in pfsense earlier)
      • This helps Pihole to show hostnames instead of IPs.

How to configure Pfsense, to accept traffic from Pihole

  • Pfsense, Dashboard, System, General Setup
    • Under System:
      • Hostname: pfsense (in my case)
      • Domain: mylocal (you can use anything else, it's up to you)

  • Under DNS Servers
    • Make sure you see only Public DNS servers like:
      • 1.1.1.1 (for Cloudflare)
      • 9.9.9.9 (for Quad9)
      • 8.8.8.8 (for Google)
      • The order doesnt matter, as Pfsense will send requests to multiple servers and whoever is fastest will respond.
      • DNS Server Overrride make sure this is disabled
        • since your ISP's DNS servers most likely won't have DNS-over-TLS.
        • also, do you really want to use your ISP DNS servers? not me!

  • Pfsense, Dashboard, Services, DHCP Server, LAN
    • Under Servers, subsection DNS Servers, type in 192.168.222 (IP of my Pihole)
    • Leave all other DNS servers blank.

  • Pfsense, Dashboard, Services, DNS Resolver, DNS Settings, under General DNS Resolver Options:
    • Enable: DNSSEC
      • DNSSEC creates a secure domain name system by adding cryptographic signatures to existing DNS records.
      • If you care about security and privacy, enable it.
    • Enable: Enable Forwarding Mode
      • Will change from port 53 (default non-secure DNS queries) to port 853 (secure DNS-over-TLS queries)
    • Enable: Use SSL/TLS for outgoing DNS Queries to forwarding servers
      • Will change from port 53 (default non-secure DNS queries) to port 853 (secure DNS-over-TLS queries)
    • Enable: Register DHCP leases in the DNS Resolver
      • This helps Pihole to show hostnames instead of IPs.
    • Enable: Register DHCP static mappings in the DNS Resolver
      • This helps Pihole to show hostnames instead of IPs.

Conclusion