Pi-hole and OPNsense blog post

@DanSchaper great article https://pi-hole.net/2021/09/30/pi-hole-and-opnsense, thanks for publishing this.

I also have pfsense and use pihole in a slightly different configuration. I provide my pihole ip address in the DHCP offer, and use conditional forwarding.

Can you help me understand the difference between the two approaches? Is one more or less secure? Just trying to understand the trade offs.

Thanks.

Thanks for the kind words.

The goal should be the primary concern with this. If you have a setup that works for you and does what you need then you are good to go.

This guide shows you a different way to use the existing features. There may be other requirements or needs that lend to my style of setup.

  • You may want to have high availability set up and let the router decide on how to forward the traffic.
  • You may want a setup that lets you change the DNS address quickly without having to worry about client leases and time left before they renew and get the new DNS address. I develop Pi-hole and sometimes things break. With my setup I can flip the DNS server on router and have it point to a new DNS IP without needing to change a thing on my clients.
  • You may want a sort of fallback DNS configuration. If you can set up the router to use strict-order DNS then you could have a second DNS server listed that is queried if Pi-hole is unavailable. Maybe that's a second Pi-hole, maybe that's an upstream that does or doesn't block but at least your network is not broken.

Neither really gets in to security since everything should be self-contained on the LAN segment. You may see some benefits to using Unbound instead of an external upstream and that's the next blog post. Really it's pretty simple, just set up Unbound on the router at a port that isn't 53 and then point Pi-hole to that IP and port.

My setup does disable Non-FQDN and private IP addresses from being sent to Pi-hole's upstream and that is a good thing. I don't think you can enable that with Conditional Forwarding since the Pi-hole upstream needs to be able to answer local domain queries. In my setup the router answers that information before it sends the queries to Pi-hole so there will never be anything for Pi-hole to forward.

1 Like

Sage advice. Wouldn't be the first time I've tried to over engineer something. Thanks!

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.