This doc does not apply to Firewalla Red, Blue and Blue Plus.
If client DNS is set to pi-hole's IP address
Since the client and pi-hole are in the same network, the DNS traffic is directly sent to the pi-hole and doesn't go through layer 3 (IP layer) of Firewalla. Therefore, DNS interception on Firewalla doesn't take effect and DNS-based features doesn't work.
If client DNS is set to Firewalla's LAN IP
DNS traffic from the client is firstly sent to Firewalla. All kinds of DNS-based features work and if the DNS cache is not hit on Firewalla, it is further forwarded to pi-hole in the local network for resolution.
Don't want to set all client's DNS settings?
Here is an alternative way to make domain block work with pi-hole in the network:
Create another local network segment on the Firewalla
Move the pi-hole to the newly created network
Change the DNS server in the old network's DHCP options to the new IP address of pi-hole
Never Change WAN DNS on Firewalla to Pi-hole, unless you know what you are doing.
This way, all DNS traffic from other devices to pi-hole go through Firewalla and DNS-based features will work.
But as requests are all forwarded by Firewalla, pi-hole only see one client which is Firewalla and per client rules on pi-hole won't work. We don't have a solution for that right now.
For those who have a local search domain, you might also want to check: Difference between Search Domain and Local Domain