ricktendo
commented
3 years ago In regards to the Unifi force-dns-to-pihole.json, rule 1 both redirects and exempts the PiHole DNS server. So what it does is all traffic destined to port 53 from all sources except from !192.168.0.105 (this is what the exclamation is for) will be forwarded to the PiHole (so this covers both PfSense rules # 1 and 2)
PfSense Rule # 3 is the same as force-dns-to-pihole.json rule 6000 masquerade
P.S. I would probably modify rule 1 a bit more to add a destination address !192.168.0.105, so clients who are already querying the PiHole for DNS are exempt from getting their traffic redirected.
rickross
DKeppi
Hi Steve, and thank you for the script that made it so easy to redirect all my internal devices to use my pihole server. I was really confused trying to figure out how to implement such rules using the Unifi controller gui interface.
But I have a question, if you don't mind. At https://labzilla.io/blog/force-dns-pihole the author describes an approach that configures a pfSense firewall with 3 rules for achieving a similar purpose:
NAT Rule 1: Redirect DNS queries to PiHole NAT Rule 2: Exempt PiHole from DNS query redirects NAT Rule 3: Prevent clients from giving unexpected source errors
I believe the first 2 rules are precisely what you have provided in the script, but I'm unsure about the third and wonder if it is something worth adding? I'm not clear which devices would get indigestion from a so-called "unexpected source error", but I doubt the error handling and recovery logic is robust in devices that are hard-coding DNS server ip addresses.
Is this something you feel might be significant?