[SOLVED] OPNSense force Pihole/Unbound

Does anyone know, how i can FORCE every Client on the LAN, to use Pihole (with Unbound as upstream)?

Current Setup looks like the following:
Opnsense VM on Proxmox
Pihole with Unbound as an LXC on the same host

What i try to accomplish:

If Client → Pihole → Website
If Client → !Pihole → Forced to Pihole (or Blocked) → Website

I tried some stuff but it doesnt work as Intended. Either i get no Name Resolution at all or Clients can still override the DNS. I am fairly new to OPNSense and that much customization, but maybe someone wants to take the time to explain how i can force DNS Querries to Pihole, which then Upstreams to Unbound which uses Root DNS.

Thanks in advance!

I would use DHCP to assign the DNS server you want and just block DNS ports to everything else. Unless someone is manually changing the DNS server this will force things to use the default DHCP assigned DNS server.

I don’t know specifically but there are ways to intercept and redirect/alter DNS requests but this won’t work with DNSSEC or any kind of encrypted DNS.

Yeah, i set the DNS Server in the DHCP section in OPNSense, but if i specify another DNS Server on my Machine, i can just bypass PiHole. I want to mitigate that. No other DNS should be usable, except for, which is my PiHole/Unbound combo.

Is there any specific set of rules i have to set ?

Atm, with my little knowledge, i can accomplish a block of, if I specify that exact IP in the Rules, but whenever i just block UDP/53 i can access my PiHole anymore, but any other DNS Server just fine and sites load. Something isnt quiet right here…

I haven’t used opnsense so I don’t know the specifics but so long as you block port 53 and allow it to your DNS server that should work. If you block port 53 and DNS is still working then likely the rule is configured wrong. Post a screenshot if you like and I’ll have a look.

These are my Rules for now. Have a look and please Point me out what i did wrong and how i can fix it!

This Happens even with the Rule set, that all DNS should be Blocked, if I specify as a DNS on my Machine.

EDIT: Sorry for the broken formatting. You may have to open the long Pictures in a new Tab.

Those rules look like they should work, unless there is something in the automatic rules at the top which is allowing DNS. You could try resetting the state table or restarting the firewall. Sometimes firewall changes won’t take effect because there are still active states for the old rules.

Rebooted the Firewall and flushed DNS on my Machine. Still working with self Specified DNS. Any other Ideas?

My guess is it’s something in those automatic rules which is allowing it. You could enable logging on all the rules then filter the firewall logs for port 53 or the IP of whatever external DNS server you test and it should tell you which rule is allowing it.

The only thing i can see/imagine is the rule “let out everything from the Firewall/host itself”. Put i cant see any request with Port 53 in there, or I´m blind. I followed the ruleid (?) and saw, OPNsense gave me an Option to disable it, i guess. Did that, but it makes no difference.

Hang on, if that IP in the first rule is the computer you’re using to test then that’s what’s allowing it. That rule should have the pihole server (or whatever DNS server you’ve set in DHCP) as it’s destination not any.

Like this? Because is my PiHole. The Machine I´m on is at

BTW, that does, that i cant access any Websites anymore, over the Pihole.
Other DNS still works fine, which is the exact opposite of what we want here, lol

Okay, then the original rule should be correct as it allows the pihole server to connect to a DNS server.

I don’t know what’s going on then.

How are you testing that other DNS servers are working?

I Just change the DNS in the Network settings on my Machine and run a DNS Leak test on the Website i showed before. If the DNS i specified works just fine, then the Name of it will show up. If It would use my DNS, it would show my IP Address.

I’m not sure if a leak test is the best way to test this. If you set a different DNS server can you browse the internet or ping a domain name?

Yes, works just fine, but it shouldnt. If i block all DNS Services then the DNS Leak Test site wouldnt resolves names too. It works perfectly fine as a Test, as far as i can tell.

This is, how it should look, even with another DNS Server Specified (blocking would do it too). Here it uses the PiHole with Unbound Upstream

I’m not sure that’s how it should look, if I run it I see the upstream DNS servers not my internal DNS server.

If you block everything on port 53 you can’t use the internet, even when specifying an external DNS server correct?

But if you allow pihole then the internet still works when specifying an external DNS server? Because that doesn’t make any sense.

I use Unbound as an Upstream DNS, behind my Pihole. So Pihole just upstreams to And because of Unbound I see my own IP resolving DNS Querries. Unbound upstreams directly to the root Servers, at least it should and thats why i see my own IP, i would guess. Am I wrong with that theory ?

If I block UDP Port 53 i cant access the Internet at all. IPs works, but hostnames not, as intended. If I enable the rule which is called “Allow PiHole”, then i can access everything just fine BUT also with external DNS Services like Quad 9.

Yeah that makes sense

But this makes no sense.

Have you enabled logging on the rules so you can see which one is allowing the DNS traffic to Quad 9?

Maybe try testing the external DNS servers with the pihole server turned off just to be sure it isn’t still using it somehow.

	WAN		Feb 27 15:06:09	90.153.xx.xx:6879	udp	let out anything from firewall host itself (force gw)	
lan		Feb 27 15:06:09	udp	Allow PiHole

Log Output. So the PiHole rule is somehow wrong.