Pi-Hole and pfsense router

I'm running a pfsense router ( forwarding DNS to Pi-hole (192..5) running on Centos - both virtualized. The basic setup is to add the Pi-hole's IP (w/gateway none) into DNS servers in System->General, and disable the DNS resolver before enabling DNS forwarder.

I had to disable DNS rebind protection to get Pi-hole and devices to function smoothly.
System->Advanced->Admin Access->Disable DNS Rebinding Checks

Before doing so, pfsense's dns logs showed:

Jan 31 20:52:52 dnsmasq 75648 possible DNS-rebind attack detected: scorecardresearch.com

Also, blocked domains or the Pi-hole's hostname can't be pinged. The browser won't load a blocked domain.

C:\>ping scorecardresearch.com
Ping request could not find host scorecardresearch.com. Please check the name and try again.
Pinging with 32 bytes of data:
Reply from bytes=32 time=2ms TTL=64
C:\>ping pihole.lan
Ping request could not find host pihole.lan. Please check the name and try again.

After disabling dns rebind, ping works, and the browser shows pi-hole's blocked page.

C:\>ping scorecardresearch.com
Pinging scorecardresearch.com [] with 32 bytes of data:
Reply from bytes=32 time=2ms TTL=64
C:\>ping pihole.lan
Pinging pihole.lan [] with 32 bytes of data:
Reply from bytes=32 time=2ms TTL=64

1 Like

No idea why you have done that things until you needed 2 or 3 dns servers in the networks.
With pfSense correct it is to install just pfBlockerNG on pfsense and set it up properly. BBcan177 did a fantastic job with pfBlockerNG.

With pfBlockerNG you will be able to do more than pihole can do at this moment ( block world region / countries / IP & DNS, filter traffic access to and from that IPs / DNS... ) just add your lists or links to list ( including lists from pihole ) and you will block what you need.

I needed 2 dns servers because I am filtering web sites for children and I want to filter also ads for them;
It is possible to do in pfsense one DNS resolver and one DNS forwarder in the same time but DNS forwarder will not filter ADS.
in my setup:

  • pfBlocker it is used for adults and block IP's ( for the whole network ) & DNS and resolve DNS.
  • pihole it is used for children and block ads and forward DNS to openDNS - this is customized for my IP and will filter many others categories not suitable for children... ( IPs ...countries are already blocked by pfBlockerNG for the whole network )

Nothing special to setup in pfsense if you already have running pfBlocker or not: just add to DHCP server config what DNS to use as DNS servers for that client IP:
1 DNS server = pihole IP
and as backup if pihole server is offline,
2 DNS server = openDNS server1
3 DNS server = openDNS server2

If you are filtering other DNS servers just allow access from pihole IP to DNS server you need ( in my case openDNS servers ) and your network is protected against DNS change from clients.