Serverless Industries

Force Devices to use Pi-hole

April 2025 - christian - dns, network, opnsense

Setting up Pi-hole on a Raspberry Pi or as Docker Container is not hard. The howto's are great and there is not much to do in a Terminal. But some devices just denying to use the Pi-hole DNS. They have DNS Servers hardcoded in or even use DNS over HTTPS/DNS over TLS.

Redirect DNS Queries

DNS Queries are sent unencrypted on Port 53/udp. Sometimes also on Port 53/tcp, but that’s mostly DNS Updates and other unusual stuff. So we can just redirect all DNS Queries which leaving our network to the Pi-hole IP.

This requires to have a “proper” router like OPNSense or pfSense which allows it to setup custom NAT rules. We have to create a Source NAT (SNAT) Rule.

RuleDescription
InterfaceThe LAN Devices Interface/VLAN
Source IPA list of devices to enforce Pi-hole
Destination IPNOT (192.168.0.0/16 or 10.0.0.0/8 or 172.16.0.0/12)
Destination Port53 UDP
Redirect Target IPYour Pi-hole IP
Redirect Target Port53

OPNSense → Firewall → NAT → Port Forward:

If done correct, any DNS server should return the blocked results:

            $nslookup doubleclick.net
            Name:    doubleclick.net
            Addresses:  :: 0.0.0.0
            $nslookup doubleclick.net 8.8.8.8
            Name:    doubleclick.net
            Addresses:  :: 0.0.0.0

Block DNS over TLS (DoT)

This can easily blocked by the Firewall:

RuleDescription
InterfaceThe LAN Devices Interface/VLAN
Source IPany
Destination IPNOT (192.168.0.0/16 or 10.0.0.0/8 or 172.16.0.0/12)
Destination Port853 TCP
ActionDrop

Block DNS over HTTPS (DoH)

Blocking DNS over HTTPS is very, very hard. These queries cannot be distinguished to normal HTTP requests. Here the hagezi/dns-blocklist project comes to the rescue. It offers many different lists to block certain services on DNS level.

Used Lists: Pro Plus, TIF (Threat Intelligence Feeds), DoH/VPN/Proxy Bypass

Run your own Recursive Resolver

DNS is organized in a tree structure. On top is a fixed list of Root Servers which know which TLD (.com, .de, .eu) is served by which DNS servers. The TLD DNS servers then know which Domain (serverless.industries, neu-deli.de) is served by which hosting providers DNS server.

This is called recursive resolving, as every query causes actually two or more real DNS queries. Normally a router is just using the Internet Providers DNS server, this can be a privacy issue if this provider is logging and selling the customers requests.

We can just run our own recursive DNS resolver with software like Unbound. It’s also shipped with OPNSense, Debian or RasperryOS for example.

Add the Unbound IP in Pi-hole → Settings → DNS as custom upstream DNS Server.

Alot more details on that in the Pi-hole docs

Welcome to My Page!

Under Construction!



© 2025 Serverless Industries. Best viewed with

Sign my Guestbook | Web Rings

Under Construction New! Generate your own 90s page here! Under Construction