I’ve turned it off now, I gave it 10 mins and it seems to be working from inside the container. But I don’t know if this is coincidence as it was intermittent before now. I also can’t see any records of anything relevant being blocked before now.
Why would I have had intermittent access before if it was blocking?
you can use DNSSEC in Pihole, provided your router/firewall knows this! you should enable DNS over TLS (DoT) and check your DNS rebind security settings in your router/firewall and allow DNSSEC
That’s great to know, thank you. I’ll get that sorted in pfsense once I get this issue solved. In my settings it looks like DNSSEC mode is enabled. I have my dhcp setting dns server to be my pihole for all clients however, with my upstream servers selected in pihole
I did, I chose clouflare DNSSEC and OPENDNS (DNSSEC), besides my DNSSEC is off for now. I don’t see anything in Pihole that makes sense to have caused an issue.
next check that DNSSEC is enabled in your router to pass through TLS and enable DoT.
to reduce overhead… you should try decide which of your multiple services pfsense, pihole, adguard etc. is to be in charge of the network. let pfsense do the network stuff and let either Pihole or adguard do the DNS stuff. try not to mix DNS-types.
And with blocking on, no issue. It looks like the first curl returns an error, then the next works fine, perhaps the first request takes too long, then after that it is fine?
I will leave this open for a few hours and if no more issues, I will mark turning off DNSSEC as the solution.
scubamuc, should I turn off DNS resolution entirely in pfsense?
DNS can be configured locally on the host (see Hosts & FQDN configuration) bypassing Pihole and router/firewall completely
if you’re running a local DNS (Pihole) then let ONLY Pihole handle the DNS stuff and turn off DNS handling in the Firewall
usually the firewall within modern up-to-date routers is enough to secure the network… no need for UFW or pfsense etc. especially when your homelab is Linux based
letting the Linux host handle DNS is acceptable since DNS resolution is tricky and managed well by most distro’s
if you have ’ kids in da house’ or would like to prevent abuse, then resolve DNS centrally by setting your local DNS (Pihole) in your local network (LAN/WLAN) in your router
I intend to keep using pihole for DNS, its served by my router (pfsense homemade situation) via DCHP to all clients as the DNS server. So there “should” be no harm in turning off DNS resolution in my router?
I’m no good with the terminology. I mean the setting in pfsense (Im using an old pc running pfsense to replace my old TPlink router) that is a service called “DNS resolver”