Pi-hole DNS not working with OPNSense

CRS10114 · December 23, 2025, 5:23pm

Expected Behaviour:

Internet connection with pi-hole

Relevant information:

OS: Debian 13 (trixie)
Hardware: HP EliteDesk 800 G4 Mini (i5-8500T, 16GB RAM, 256GB SSD)
Pi-hole installed via: curl -sSL https://install.pi-hole.net | bash
Unbound is being used as the upstream server, installed following: unbound - Pi-hole documentation
Firewall: OPNSense v25.7
OPNSense DNS settings based on method 1 of Pi-hole’s OPNSense documentation: OPNsense - Pi-hole documentation
Note: using IP Passthrough with AT&T BGW320 router (all Firewall Advanced settings disabled, Wi-Fi disabled)

Actual Behaviour:

DNS seems to get queries, but times out more often than not. Unable to use Internet.

This is not the first time I have had this type of setup, and it was perfectly fine before now. Unsure what is going wrong here.

While connected to the OPNSense network, I was able to successfully test using the following commands:

dig pi-hole.net @127.0.0.1 -p 5335

dig fail01.dnssec.works @127.0.0.1 -p 5335
dig +ad dnssec.works @127.0.0.1 -p 5335

With that said, once I test with: dig en.wikipedia.org @127.0.0.1, the connection times out.

Debug Token:

I have the pi-hole.log file generated from running pihole -d, but was unable to upload it. Any help on how to get that info onto here would be appreciated.

deHakkelaar · December 23, 2025, 6:52pm

Whats output for below one?

grep nameserver /etc/resolv.conf

If its 127.0.0.1 or ::1 or the own IP, edit above file with below:

sudo nano /etc/resolv.conf

And change nameserver into that of Google's 8.8.8.8 or Cloudflare's 1.1.1.1.
Save/exit and try upload the debug log again with below?

sudo cat /var/log/pihole/pihole_debug.log | pihole tricorder

For that you have to check the Pi-hole and/or Unbound logs why its failing.

CRS10114 · December 24, 2025, 3:46am

Here’s my debug token: https://tricorder.pi-hole.net/yggmY2JO/

In my frustration I have reinstalled debian and pihole, then uploaded my copy of the debug log using pihole. I re-enabled the AT&T router to do this, so I am still currently connected to that router in the meantime.

Going to try to start from the top, but please do let me know what you find because I am curious what I did wrong. I’ll probably still be trying to set this up by the time you respond, so any pointers help.

CRS10114 · December 24, 2025, 6:21am

Okay, I have finally figured it out. I think I got confused by OPNSense’s initial DHCP setup (it uses DNSmasq at first, which is not mentioned in the pi-hole documentation).

This can be closed now. I am unsure what exactly went wrong with my setup, but after reinstalling debian and pi-hole, then following the directions for unbound and OPNsense, I was able to get it back online.

Something I must note for anyone who may come across this and you have AT&T (with the BGW320 router):

Turn off your Wi-Fi (both 2.4GHz and 5GHz).
Turn off all Packet Filters.
Turn on IP Passthrough (DHCPS-dynamic).
Turn off all Firewall Advanced settings (if you are unable to turn off Firewall Advanced outright).
Restart router and make sure your OPNsense / pfsense router is the only LAN device plugged into the BGW320.

Thanks for the help!

system · January 14, 2026, 6:22am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.