Pihole vs pfBlockerNG with pfsense

II run a pfsense firewall, and prior to that I had a pihole setup running. When I went from consumer routers to pfsense I retained the pihole setup as it was already running…

I point my pihole at my pfsense IP for DNS, and use pfsense to hand out via HDCP my pihole IP to all DHCP devices. This feels a bit bass ackwards… The reason I do it this way was so pihole would have awareness of internal network as IIRC things internally were no working quite right if I had pihole go directly to say

Am I just creating extra headache and overhead for the system by doing this? Should I just try and switch to pfblockerng? I like the ease of use of pihole, and the nice graphs and charts it provides… although it looks like the newer version of pfblockerng has been improved since the last time I used it which was sometime around 2015-16.

Anyone have any advice?

PfBlockerNG is great but it lacks the ability to use different rules for different groups of clients, regex filtering, and I think the pfBlockerNG interface isn’t as pretty either. If you dont care about those things then throw out the Pihole and use pfSense for everything. Otherwise I would (and do at my house) use pfSense for DHCP and DNS on most VLANs, use pfBlocker to filter based on lists and TLDs, and use Pihole for things it does well on a special VLAN that doesn’t use pfSense for DNS or DHCP and point it’s DNS upstream to pfSense. Make sense? :grinning:

Hmm, sort of. I think what your suggesting is more or less what I have set up, sort of. I still let pfsense do all DHCP for all vlans and subnets, but I point DNS to my pihole via pfsense’s DHCP DNS settings (although I just let me IoT vlan DNS go to, let those things get whatever results they want…). I then point pihole at pfsense for DNS, and pfsense points to,, and So… I guess, my setup is “fine”?

The main reason I am asking is because I just updated my pihole and am now seeing these errors:

Thread on pihole forum to go with: DNSMASQ_WARN reducing DNS packet size - #18 by DL6ER - Help - Pi-hole Userspace

I am not entirely sure why/how to fix this, and that lead me to thinking maybe I should just ditch pihole and let pfsense handle all of it.

I had to turn of DNSSEC a while back on the Pihole because I was getting strange errors and failed DNS lookups. It didnt really matter because it’s only internal from Pihole to pfSense. On the Pihole in Settings > DNS I have one custom IPv4 upstream server (my pfSense IP address), only allowed on eth0, never forwarding non-fqdn queries or reverse lookups for private IPs (the first two advanced checkboxes).