Pihole ftl and upstream DNS

NethServer Version: 7.9.2009
Module: pihole ftl

I’m running the NS box behind a opnsense. The upstream DNS of the NS box is pointing to a pihole. The DNS of the pihole is pointing to the unbound service of the opnsense.

I realize that the internal pihole of the NS box is still pointing and querying to and I’d like to know why? Is there a special reason for? Can I change it to my pihole?

Thanks for any answer.


Sorry for bringing this up again.

I understand that the upstream DNS servers are covering everything in NS. Maybe someone could clarify. Or should I open a bug?

Hi @schulzstefan

I use NethServer, OPNsense and PI-Hole.

My NethServer has itself and the OPNsense as DNS.
My OPNsense uses itself and the NethServer (As that’s AD).

Servers do not use PI-Hole (less dependency), only my Clients…

This works, no need for any external DNS.

My 2 cents

I can’t reproduce.

I set the pihole upstream DNS:

config setprop pihole DNS1 DNS2
signal-event nethserver-pihole-update

and find the same DNS in pihole web UI:

Maybe you need to build again to apply the DNS settings to the container.

pihole build

Your setup is a little different to mine. Both setups are working. That’s good.

Now - where do I find the gui for the pihole for the NS? I didn’t know that there are settings/props in the NS db? BTW couldn’t find any information in the manuals…

For my NS the query

#config show pihole

shows nothing.

To clarify: my pihole is the official one which is running on a raspberry pi. The custom DNS is configured to query unbound on my opnsense.

I thought you’re using the pihole module.

Sorry for the delay, now back again.

Well, as fa as I remember, I didn’t install the pihole module.

#rpm -q nethserver-pihole
package nethserver-pihole is not installed

AFAIK unbound, dnsmasq and the pihole ftl are working together in the NS default installation. I read this somewhere in the forum.

Anyway you’ll find under services

ftl - Pi-hole FTL DNS caching server with statistics - running local on tcp and udp port 1153.

And you’ll find in /etc/pihole/dnsmasq.conf the DNS servers and

Again, I think this must be a default install.

This comes from Threat Shield because it uses pihole lists and has nothing to do with your pihole.
It should contain the same DNS as your NethServer.


that’s clear to me. As I wrote I’m wondering that the NS box is querying the DNS servers defined in /etc/pihole/dnsmasq.conf. Instead of querying the upstream server, which I defined as the pihole in my LAN.

In my understanding there should be no other upstream DNS as those defined in the cockpit. This seems to be a bypass to me.

Do you use Thread Shield, is it enabled?

Maybe you need to reapply the config of Threat Shield to write the correct DNS server to /etc/pihole/dnsmasq.conf but usually it should be applied when you change the Neth DNS servers:

signal-event nethserver-blacklist-update

Let’s check you Neth DNS config:

config show dns


Maybe there are errors in the template. Does expanding the template work?

expand-template /etc/pihole/dnsmasq.conf

I think this could be a dependency of fail2ban…

#config show dns

That’s the ip of my pihole. I defined this ip as the upstream DNS for the NS box. Everything fine so far.

Something did not work. Usually when you change Neth DNS servers, they should be written to a file /etc/pihole/dnsmasq.conf from a template.

DNS config seems ok, please check the other things:

Interesting. Maybe a bug? I remember at the initial install (which was a migration from SME) I defined and as DNS servers. It seems they survived the change to the ip of my pihole.

Did as you requested. First the blacklist signal and then the template expand for the dnsmasq.

Cat /etc/pihole/dnsmasq.conf shows now the ip of the pihole, which is the defined upstream DNS in cockpit.

I didn’t realize that the thread shield is active… I’m more focussed to fight (not all) threads with the opnsense. Don’t get me wrong, I don’t want to start a discussion/flamewar about a separate hardware firewall vs. a built-in firewall in a server.

Thank you for staying with me and working this out. Now every device is querying first the pihole and then unbound in the opnsense. This is the way I like to have.


1 Like