Hardware
Originally I installed Pi-hole on Raspberry Pi 1B (700MHz, 512MB RAM), which is meets the documented required hardware requirements. Surprisingly, this ran acceptably and was able to keep up with all the queries on my network. However, after upgrading to a Raspberry Pi 5 (4GB RAM), the web UI was noticeably more responsive, and the board ran about 10 degrees cooler.
Topology
Since I am using OPNsense as my DHCP server, I will have OPNsense send out its own IP address as the DNS server via DHCP, and forward queries to Pi-hole. I use Unbound as the DNS server in OPNsense.
A worthwhile consideration here is that by using this topology, all DNS requests to Pi-hole will come from the router. Unfortunately, this means you won’t get the nice client breakdowns in the Pi-hole dashboard, in addition to any client management features (e.g groups).
Note that leaving DNS Servers blank in the ISC DHCP configuration will result in the system DNS servers being used (i.e as configured in OPNsense settings). This is what we want in this case.
- In
Settings > General > DNS Servers, add the address of Pi-hole. - In
Services > Unbound DNS > General, configure the following settings:- Enable Unbound - Checked
- Network Interfaces - We only want to serve DNS on any internal networks (e.g LAN)
- Register ISC DHCP4 Leases - Enabled. This enables hostname resolution of DHCP registered clients.
- Register DHCP Static Mappings - Enabled. This will allow static IPs on the LAN to be resolved via hostname.
- Flush DNS Cache during reload - Enabled.
- In
Services > Unbound DNS > Query Forwarding, add an entry to forward all queries to Pi-hole. The domain can be left blank to match all domains.
Additional settings
Additional configuration that may be useful depending on your network.
Allow iCloud Private Relay
If you have Apple devices on your network using iCloud Private Relay, this will be blocked by default, and internet access will not be available with Private Relay enabled. To allow connections to Private Relay, add the following line in /etc/pihole/pihole-FTL.conf:
BLOCK_ICLOUD_PR=false
Override DNS for certain hosts
For certain devices that are sensitive to custom DNS, you may wish to bypass Pi-ole. If you are using Pi-hole as the DHCP server, and having clients auto-configure the DNS server from DHCP, you can make it appear as if there was no Pi-hole by adding the host with the nopihole option in dnsmasq.
$ cat /etc/dnsmasq.d/07-custom-domains.conf
dhcp-host=ee:ee:ee:ee:ee:ee,set:nopihole,192.168.1.200
dhcp-option=tag:nopihole,6,192.168.1.1
Quote
For a list of DHCP options (magic numbers), run
dnsmasq --help dhcp. For example:$ dnsmasq --help dhcp | grep ' 6 ' 6 dns-server
Increase concurrent requests
Rate limiting of DNS queries in Pi-hole is on a per client basis. In the case where the majority requests are forwarded to Pi-hole (e.g from the router), the rate limit may need to be increased. This can be changed in Settings > DNS > Rate-limiting. In my case, I have found 4000 queries per 60 seconds to be an appropriate settings to avoid OPNsense being rate limited.
Multiple subnets
By default, Pi-hole will only accept requests that originate from one hop from the host (same subnet). If requests are permitted to originate from different subnet (e.g subnets routed by OPNsense), then the option of Respond only on interface <eth0> needs to be set under Settings > DNS > Interface Settings.