What I want is clients to be assigned IPs via DHCP running on OPNsense and given the IP of the DNS server they should use at the same time. This IP will be my PiHole. Then I want to use the recursive Unbound resolver built into OPNsense to resolve queries not blocked by the PiHole.
This should be fairly easy, but I’m struggling to get OPNsense to hand out a specific IP to clients when assigning IPs with DHCP.
My understanding is that this can be done by setting the DNS servers in System=>Settings=>General+DNS servers. But I’ve read that this won’t work with Unbound enabled.
I think using ISC DHCPv4 makes handing out DNS servers simple, but I saw that’s no longer recommended. So I’ve been using Dnsmasq as my DHCP server.
Yeah I could just use unbound domain blocking but I like that with the pihole I can just run update and get any changes instead of managing these lists myself in unbound.
But also just getting dnsmasq to hand out a DNS server IP has been tough.
Pihole has optional DHCP. You can also create which lists per client are to be used. So you’ll more or less get what you want.
Your model complicates things unnecessarily imho.
DHCP must assign static IP per MAC if you don’t want mess.
Another thing is separating DNS queries into those filtered by pi-hole and those served externally. Which in itself creates a layer of complexity.
Should this traffic be per IP or per domain?
The easiest, as I mentioned, pi-hole with dhcp. Otherwise you will need DHCP that assigns static IP per MAC for a given network and advertises the indicated DNS. However, for the second subnet that is not to be filtered you need a “second” DHCP/DNS that will advertise a different server.
Doing this within one subnet in one place may not be feasible in the GUI. DHCP would have to know and understand that specific IPs are to receive a different DNS address.
I don’t have opnsense at hand to play with right now and I don’t remember off the top of my head… But maybe look around the interfaces to see if they have options for DHCP/DNS.
Many software have the ability to define dns servers per interface and dhcp will advertise these addresses on that interface.
Only downside is that if pihole is down, your internet is also down. Just keep that in mind.
On OPNsense you then have to select “Manual Configuration” for IPv6. That way you can turn off RA of OPNsense and only use RA of pihole. Then you could also create a firewall block rule to block all outgoing that isn’t from pihole. You do that be selecting a source invert rule.
Block all port 53 traffic that isn’t from source pihole.
For a small network, OP can use manual static addressing configurations and you don’t need dhcp at all. If someone doesn’t have 1k machines and doesn’t add new ones all the time, you can think about giving up dhcp and setting everything up manually.
The reliability of the solution is the same regardless of the software. If the machine with pi-hole is offline, it should be treated similarly as if the main router was also offline. Unless we’re playing with high availability.
I always have two independent dns servers with pi-hole in my networks, so I don’t have a break in access to ns. But there’s no point in going to extremes in the case of small networks with low required availability.
Playing with two dhcps in one subnet is already a higher level of complexity and playing with HA, it’s doable, but why. What is the probability of losing dhcp at the same time when pc wants to get data. In a small network it is an abstraction.
The size of the network is a matter of semantics. If you don’t want to have breaks, duplicate simple services.
I have two separate DNSs because I like it that way. Blocking DNS traffic on the way out is rather obvious if we don’t want anything to go through under the table.
I’ve never had a sudden accidental crash of pi-hole that would suggest a lower level of stability than other software. There is also no excessive amount of reboots here. Pi-hole updates quickly and relatively live without creating a long break in availability and does not require a machine restart and the restart of the service is lightning fast. The machine that hosts pi-hole can theoretically perform a reboot only when there is a need to change the kernel and only then. So there are no excessive restarts with respect to OPN.
The Internet doesn’t stop working because DNS is down, it still works, we just don’t have solutions for domain queries, but technically, the network still works.
The average home user doesn’t have to think about high availability, whether it’s DNS or DHCP or the main router itself. And if the user is paranoid or has a real reason, let them use duplicate services… I don’t necessarily encourage this, it was you who suggested the lack of availability in the case of offline pi-hole, which acts as dhcp, as a big problem as well.
OP, let him choose what he wants, IMHO one pi-hole + dhcp is enough for him and let him not worry about the lack of availability.
Will attach some screenshots in case someone else finds this.
Turns out setting a DNS server in the general settings of OPNsense does vend it via DHCP. But I’ve seen really inconsistent behavior across different clients.
Asshole devices like Chromcast have their Google DNS servers hardcoded.
Stupid devices like Aruba Instant on think they know better and have 1.1.1.1 as default.
Your Firewall rule says “intercepts any outgoing” but it is only an allow rule.
This is a firewall rule and not a port forward rule! Also you don’t need NAT, how are you mixing NAT into this?
Look, here is how it is done.
Step 1: Create a rule to reject (use reject and not block internally, that way the clients get informed immediately and don’t wait) all DNS traffic. Put that rule on the top.
Step 2: Then create a second rule that allows pihole to do DNS to our OPNsense (unbound) or whatever.
Step 3: Put that rule above the block rule.
Why no rule from your clients to pihole you ask?
Well that traffic does not touch OPNsense. You would not be able to filter that if you wanted to, so you also don’t need a rule to allow it. Your clients speak to your pihole directly, without touching OPNsense.
After you are done, post a picture of your firewall rules.
BTW: This is only a quiet primitive way of blocking DNS that does not cover DNS over TLS or DNS over HTTPs. I follow the rule to get asshole devices to begin with (or at least not give them internet access) so I don’t have to work many block rules that come from my network within.
