pfSense and pi-hole

Hi all, let me run this past you.
I want to control more of the ad’s on my Roku devices.
I have pfsense running with pfblocker-ng that serves DNS and DHCP to the vlan that the Roku’s are on. The Roku’s have been aliased.
I am unable to configure pfSense to send all aliased Roku DNS traffic to the pi-hole that is also on that same vlan, running in a proxmox instance.

In the DHCP setting create a static entry for the Roku and override the default DNS to be the pi-hole.

Tom, thanks for the reply.
Sadly, that was what I had already tried with no luck. Rebooted the Roku and the pfsense, and also restarted the pihole.
The Rokus do show up in the network section in pihole, but they also show as never querying the pihole.

Just a heads up if you are planning to block ads on a Roku it will also block many of the streaming services due to their use of Google API’s identified as ad services. I found that STIRR and others will fail to load or give a API failure message.

I found the same with some smart TV apps and some Xbox games. It’s best to let the appliances to go to their services.

Thanks for the info RonV42. I ended up scrapping it for now.
I do watch Hulu on the PC more than the Roku/TV, and I block those ads via lists in Vivaldi.

Just another quick thought. It is possible that the Roku, or the apps on it, are directing DNS queries to their own chosen servers. A LAN rule blocking DNS traffic from the Roku to external IPs followed by a NAT rule on the LAN interface pushing those queries to the piHole might get the effect you’re looking for.

If that doesn’t change anything, you might need to do some packet capturing between the Roku and the firewall. It is possible that the apps are farming all of the ad procurement to their CDN servers which would mean you can’t really change anything. The only way to know is to see if there is DNS traffic coming off of the device itself during a streaming session.

I have a port 53 capture for my default network (pc’s, phones, and tablets) I see a lot of apps on phones for example ignore the DNS that was pushed out to the device. For the IoT and Appliance VLAN’s I had to disable the capture. I know one of my friends has a security system that directly went to google’s DNS and wouldn’t connect to their services if he redirected to his preferred DNS. It’s a crap shoot now if something does or doesn’t work when trying to used secured services for consumer devices.

1 Like

And this, friends and neighbors, will be one of the emerging fronts in the cyber-security war. If devices aren’t forced to use the DNS that we want them to use, especially with the advent of DNSSEC and DNS over https, how will we know that they aren’t using traffic outbound on those ports for exfiltrating data?


Put Pi-hole in another segment.
Set your Roku device’s DNS to the Pi-Hole’s IP.
NAT your traffic that is going TO and FROM your Pi-Hole and your Roku will think it is receiving a valid DNS reply coming from your pfSense.