This doc does not apply to Firewalla Red, Blue and Blue Plus.
If client DNS is set to pi-hole's IP address
Since the client and pi-hole are in the same network, the DNS traffic is directly sent to the pi-hole and doesn't go through layer 3 (IP layer) of Firewalla. Therefore, DNS interception on Firewalla doesn't take effect and DNS-based features doesn't work.
If client DNS is set to Firewalla's LAN IP
DNS traffic from the client is firstly sent to Firewalla. All kinds of DNS-based features work and if the DNS cache is not hit on Firewalla, it is further forwarded to pi-hole in the local network for resolution.
Don't want to set all client's DNS settings?
Here is an alternative way to make domain block work with pi-hole in the network:
Create another local network segment on the Firewalla
Move the pi-hole to the newly created network
Change the DNS server in the old network's DHCP options to the new IP address of pi-hole
Never Change WAN DNS on Firewalla to Pi-hole, unless you know what you are doing.
This way, all DNS traffic from other devices to pi-hole go through Firewalla and DNS-based features will work.
But as requests are all forwarded by Firewalla, pi-hole only see one client which is Firewalla and per client rules on pi-hole won't work. We don't have a solution for that right now.
For those who have a local search domain, you might also want to check: Difference between Search Domain and Local Domain
Just wanted to share my experience applying this to Adguard Home. I have a Raspberry Pi 3b+ with the DietPi OS installed and Adguard Home with Unbound. This also works with Pi-hole with Unbound but there are a few extra steps.
- Created a new network on its own dedicated Firewalla port and plugged in the Pi
- Created standard rules for this network to Block Traffic from & to All Local Networks and Block Traffic from Internet.
- In the Firewalla phone app, under the Network Manager settings for each LAN network, set the Primary DNS Server address to the IP of the Pi. I did this for two networks and two VLANs that I wanted to route through the Pi/AdGuard/Unbound.
It appears the DNS Booster function will intercept the DNS requests, and the Firewalla box will then forward the DNS request to the Pi without having to create any rules to allow DNS traffic between local networks. I did have to create a rule to allow my management machine to access the Pi machine so that I could see the Adguard Home web interface: Allow [IP of Pi]:[port], outbound only. Similar rule to use PuTTY to connect.
Please sign in to leave a comment.