I have a firewall rule to dst-nat any outgoing DNS requests not coming from piHole back to the piHole server. That way all devices on the LAN are forced to use piHole for DNS and can’t bypass it.
I don’t have an OPNSense firewall but I would think it should be able to do that as well.
I’ve blocked outgoing port 53 udp/tcp for all subnet except pi-hole. If I can’t trust a device to use the DNS I configured I can’t trust it to go on the internet, and it goes on my list of devices to replace.
I have a firewall rule to dst-nat any outgoing DNS requests not coming from piHole back to the piHole server. That way all devices on the LAN are forced to use piHole for DNS and can’t bypass it. I don’t have an OPNSense firewall but I would think it should be able to do that as well.
I’ve blocked outgoing port 53 udp/tcp for all subnet except pi-hole. If I can’t trust a device to use the DNS I configured I can’t trust it to go on the internet, and it goes on my list of devices to replace.