Pihole be the DNS server in the whole network?

What’s about if I have unbound on pihole, so I want to make my pihole be the DNS server in the whole network?

So the clients connect to ipfire and have ipfire as DNS (blue, green) → ipfire has pihole (red) as DNS. Does it makes sense?

Firewall rule: ipfire-red to pihole (red) for 53 (tcp / udp)

The thing is, I have no free ports for DMZ, so I think, the only good solution is to have pihole in the red network (just connected to the provider router).

If I understand what you are asking:

clients – (green) → IPFire – (red) → PiHole → Internet

PiHole is not the most secure device. The IPFire is much more secure since it is a hardened firewall.

So I would not configure things this way. And I would strongly recommend not to have PiHole connected to red (the Internet).

This is what I have:
Client (DNS) → PiHole (DNS) → IPFire (DNS) → to external DNS Server

See this post:


And this is what I did to connect GREEN and BLUE to PiHole.


Hey and thanks!

It’s about, what @trash-trash wrote:
“The right use of Pi-hole, were at eth red side, to resolve IPFire outgoing DNS requests, same idea as if you are using an external DNS service …
So you will be then able to use the benefits of both, of IPFire and of Pi-hole .
Make sure that clients be forced to use IPFire as the DNS and there the Proxy in none transparent too .”

So my network is like this:
Clients (DNS IPFire, with blocking rules for DNS requests to red) → IPFire (DNS PiHole) → PiHole (DNS unbound + hyperlocal / forgot to mention it!) and Router in red network → Internet

So PiHole does not guide the whole traffic through, but the DNS-Requests of the IPFire and has unbound and hyperlocal running.

Bad, bad, bad… Just be careful! If I understand what you are setting up, your PiHole device is NOT protected from the internet by a firewall.

1 Like

it’s not secured by ipfire, just by the standard router firewall (surely not so good). So it’s not just in the open wide internet.

Maby I can get the old nanobox working. How could I set up the network with the second ipfire for the pihole? Does it make sense?

meanwhile I get pihole within GREEN working. But how can I use pihole as DNS server for ipfire within GREEN? If I just set the IP of the pihole in the list of DNS servers in ipfire, I get an error.

Or, is it better just to use ipfire in recursor mode and use ipfire directly in client settings?

hello fstarter.
what is the IP address for you pihole?

1.Put the IP where the arrow points on Jon’s image :

  1. Then you use unbound from IPfire as “Custom Upstream DNS” in PIhole settings

put your GREEN IP address and port

  1. “use DNSSEC” might not work reliably so you could uncheck it.
    I think it is fine, IPfire green interface is secure without DNSSEC.

So, this is the goal:

On the IPFire box, go to the DHCP Server WebGUI page. Set the Primary DNS to the PiHole IP address. In my case the PiHole IP address is

Go to the PiHole WebGUI and go to the DNS settings. Set the Upstream DNS Servers - Custom 1 (IPv4) and enter the IP address for the GREEN. In my case the IPFire GREEN IP address is

Click Save at the bottom of the page when complete!

FYI - I did not enable DNSSEC on the pihole. I could not get it to work.

And I repeat this important post:


ok, thanks both of you!
All clients have static settings, so I don’t use DHCP.
So, I think I don’t need this entry.

Till now, I use unbound on pihole. Does it make sense, to change pihole-DNS to the ipfire-DNS instead and set then ipfire to recursiv (as I understand it IS unbound). So that the ipfire goes out and not the pihole?

And does it make sense not to use unbound, but some external DNS servers with TLS?

As I understood pihole doesn’t work with DNSSEC if I choose ipfire as upstream DNS. Is it a fact?

I tested now the ipfire as upstream DNS in pihole and it seems to work with DNSSEC only if I set some DNS servers within ipfire. If I want to use ipfire in recursiv mode, it doesn’t work.

The question is, is it better to use it in recursiv mode (like unbound) or to use some TLS DNS?

I would use the ipfire for DNS / unbound

use unbound. and use external DNS servers with TLS.

1 Like

how can I realise it with ipfire and pihole?
ipfire without set DNS servers is in recursive mode (so unbound), isn’t it?

But if I set the ipfire as upstream DNS in pihole and let ipfire be in recursive mode, I get no connection. I get connection just if I set DNS server in ipfire.

set pihole aside for the moment (just temporarily). We need to get ipfire working first.

What does DNS look like now? This is mine:

Please send a screenshot of your DNS Servers. (the entire page please. not just one section.)

Screenshots are not so easy in QubesOS.
I have exactly the same page, but another DNS servers (two of them).
Also TLS, also strict, also status OK and working.

Send a pic with an cell phone or digital camera.

I dont know what QubesOS is…

sorry, the communication between the devices is also rather restricted. So screenshots or pics cost rather much time. As I said, I have exactly the same as you above, just another DNS servers. Just everything else is exactly the same.

So without PiHole does everything work as expected? (recursive mode works?)

yes, without pihole DNS on ipfire works. BUT recursive mode doesn’t work and I know why. I blocked the direct access to the DNS in RED. In order to avoid DNS leaks, which want to bypass ipfire. So if I want to allow the recursive mode, I suppose, I must allow the direct access for DNS in RED, isn’t it?

The thing is, I block BLUE/GREEN/ORANGE to RED-DNS. But I don’t block ipfireRED to DNS in RED. Logs shows me blocked access from ipfireRED to some IP within the network I did not set. Is it the thing of recursive mode. So do I need a firewall rule for that?

this doesn’t make sense to me…

Why bypass IPFire to avoid DNS leaks?

The thing that might cause a DNS problem is the PiHole box.

1 Like

I block direct access from GREEN/BLUE/ORANGE to any DNS in RED. This avoids DNS leaks, because all clients should use internal DNS server (ipfire or pihole or whatever). But this seems not to be a problem.

Now I don’t use pihole as DNS server. Just ipfire itself. And I get no connection to the most sites. The strange this is, I get connection to the forum here :smiley:
Maybe it has something to do with some cache on ipfire??

Do I need some firewall rule to use recursive mode of ipfire?
I see some strange DROP_INPUTs for DNS to some IPs, I don’t have, f.e. or

This behavior seems to disappear if I activate one of the DNS servers within ipfire and leave the recursive mode.

this still doesn’t make sense to me…. (sorry for me being dense).

Maybe someone with more skills can assist.