Forcing network DNS

I have Pi-Hole running on an IP within my LAN network. In order for Pi-Hole to record the client ips and not just pFsense, I have specified the Pi-Hole ip for the DNS in the LAN DHCP DHCP interface.

I now want to make sure that only this DNS is used. Following pfSense® software Configuration Recipes — Blocking External Client DNS Queries | pfSense Documentation, I have the following rules.

However, when the reject rule is enabled, nslookup fails. What am I missing?

I would assume your pi-hole isn’t the LAN address and it is a specific IP address. You’ll need to set your allow DNS rule to the destination IP of your pi-hole.

Also instead of having 2 rules you can have 1 rule. All you need to do is on your block rule do an invert on the destination IP of your pi-hole. Then remove the allow DNS rule.

So basically you are saying in your rule “block LAN NET to access to anything that is not your pi-hole IP.”

1 Like

If you want success to not equal failures, then follow the “Redirect DNS Requests” link on that page. That is a better way to filter UDP DNS traffic.

I removed the firewall rules and tried the DNS request redirect but dns failed again when enabled.



Also tried the below but when enabled it also did not work… There is something that I am not understanding.

What is the IP of your pi-hole and is it on the same LAN network?

Pi-hole is running in a docker container ( The LAN is



You can ignore what I said. The above rule does work. In all my testing I had removed Pi Hole from the DHCP dns setting so ofcourse I was been blocked,

Put it back and all is well.