"Unexpected Source" errors with re-routed DNS queries

Setup for context:

  1. There are two separate LAN subnets ( and
  2. DNS server, a pihole, is at
  3. I use a NAT rule to forward all rogue DNS queries to the pihole
  4. pfsense gives out the pihole as the default DNS when assigning IPs via DHCP

Everything is working ok (rogue queries are routed to pihole and name resolution is working overall), but when I try the following command: dig @ google.com I get the following error:

❯ dig @ google.com
;; reply from unexpected source:, expected
;; reply from unexpected source:, expected
;; reply from unexpected source:, expected

; <<>> DiG 9.10.6 <<>> @ google.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

I can see this query logged in the pihole and it has the proper originating host.

Troubleshooting till now has led me to believe that I need an outbound NAT rule but what that rule needs to contain eludes me. I’ve tried all combos I can think of but the error persists.

Any hints?

Try turning that off and see if you get the same results.

Turning off the NAT rule causes the issue to go away but then all the “rogue” DNS queries are not forwarded to my local DNS either.

You are asking dig to go over port 53 and get to but you have it redirected so it gives the proper error.

Thanks for the continued dialogue, I understand your point. However, prior to making the 192.168.8.x subnet, when everything was on the 192.168.7.x subnet, I had the same NAT redirect rule in place (but pointing to a host in the 7.x subnet) and dig was happy.

Can’t this be resolved via an outbound NAT rule? Also, because DNS is working ok, should I just ignore this error (and keep the NAT direct in place)?

I’m digging (no pun intended!) into this cause if the NAT redirect is causing underlying issues, then I’d like to find a resolution.

For additional context, the reason why I went down the route of setting up a secondary subnet is because with the previous setup (one subnet) all “rouge” redirected entries on the pihole logs appeared as if they were coming from the pfsense box vs the original host.

If there’s a way to actually retain the original hostname for the queries that are redirected, then I don’t need the second subnet at all.

I have never attempted to solve this issue before, you are welcome to hire us to work on it but I can not offer a guarantee that we can resolve it.

Filled out the relevant forms to connect directly with your team.