I would suggest that you update DHCP (and all clients with a static IP) to use your Pihole as your primary DNS server. Then configure the Pihole to use IPFire as the downstream DNS server.
This has a few benefits over your current arrangement:
The PiHole has an excellent interface for showing what is blocked from which client, unlike IPFire.
The PiHole currently doesn’t support “DNS Security” or encrypted DNS queries. While IPFire does.
yes, you really do not want to use Pi-Hole. Especially not in front of IPFire.
The DNS stack in IPFire validates all DNS responses (it can) and makes sure that nobody spoofed them. Pi-Hole breaks this, their code quality is horrible you can achieve the whole thing a lot better by using the proxy and filter your stuff there.
I have now changed my dns configuration and I think this is the safest way
the ipfire has dns server via tls and all clients first get the active directory dns, which then forwards to the internal ip of the pi-hole to filter the websites. The second dns in the dhcp of the ipfire is the ip of the pi-hole, so all traffic goes through it dns server the ipfire because the ipfire ip is configured in the pi-hole as upstream server
it runs perfectly
thus the pi-hole runs behind the ipfire and not in front of it
So I put my pihole as primary DNA in ipfire and secondary the ipfire. Furthermore my clinets have fixed IP addresses assigned by DHCP and in the pihole the ipfre is entered as DNS resolver. So the pihole still works and in case of failure I have the other DNS servers
Blockquote So I put my pihole as primary DNA in ipfire and secondary the ipfire. Furthermore my clinets have fixed IP addresses assigned by DHCP and in the pihole the ipfre is entered as DNS resolver. So the pihole still works and in case of failure I have the other DNS servers
don’t put the pihole befor ipfire. Put it BEHIND.
Ipfire->pihole → clients. 3 Way’s:
1.use ipfire as DHCP ang put pihole’s ip in it.
2. use piholes own DHCP and ipfire for it’s DNS
3. use STatic ip’s put pihole and IPFire for Clients DNS or ipfire for pihole’s DNS
my ipfire is DHCP server and in the DNS entry in the DHCP server is the pi hole and of course my active diretory server is entered which then forwards dike requests to the pi-hole
Anyway,
If your Pi-hole does not work, you can use a script in IPFire that collects multiple DNS block lists and add them to IPFire unbound block list → same logic as Pi does.