Pfsense upstream dns


I’m using pfsense configured with pfblockerng. I’d like to use these rules as a baseline, and stage an internally hosted pihole as the next upstream resolver. This way, I can augment the existing DNSBL rules with my own additions - think the pihole interface allows for a faster development cycle of these rules, which could then be collected into a feed within pfblockerng…

The only client of the pihole should be the pfsense; the network devices shouldn’t be aware of it’s existence, just like they’re unaware of any other resolver.

Is this possible?

It doesn’t make sense to do it that way, but it is possible. You would need to turn on “DNS Query ForwardingEnable” and enable forwarding mode

I’m interested in your thoughts on why that doesn’t make sense; it seems a reasonable way to provide additional customizations with a very quick development loop.

Do you know how processing the DNSBL lists fits into the forwarding flow? If the request is filtered by DNSBL before forwarding, this is a workable solution. If, however, the lists are bypassed, this is a silly exercise.



If something get’s blocked you have two places to look, seems like over kill. pfblocker has options for custom feeds for DNSBL