I don't point untangle to my pi-hole. Seemed to cause a dns loop.

Why would there be an official "Untangle" guide, to implementing PiHole on a network?

Untangle's stated objective is to make things as easy as possible, implementing a 3rd party DNS filtration system is the opposite of easy.

But, back to sanity checking your configuration, that third item on the list makes no sense and isn't doing what you think it's doing, just delete them.

Using DHCP DNS override is how you configure clients on your network to use another DNS server, so yeah that's how you do that. Pihole does the rest on its own, but your use of that generic bypass rule means any client on your network can simply ignore DHCP and use whatever DNS it wants. So while this configuration works, it has no access control built into it.

Of course the default Untangle DNS configuration lack that as well, so if it's not really a problem just something to be aware of should you care. If not, onward.

Recently enabled PiHole for a site using untangle free.

1 - Since they use AD that server is handling internal DNS and pihole as forwarder. I don't care about individual host reporting, for now.

2 - After #1 is working, proceed to block all DNS except for PiHole.

A far more aggressive setting is to use port forward to force all DNS request passing through your firewall to PiHole. Haven't play too much with it and I'm not sure if it is possible with Untangle.

1 - Correct
2 - Wrong, any device can use external DNS and Untangle will simply ignore it. That includes malware that ignores the host dns settings.
3 - Just as sky-knight said, delete that.

Setting up Pihole is fairly easy, but there are nuances depending on what exactly you want to do. As TirsoJRP and sky-knight indicated, you have the easy part done: Config—>Network—>Internal DHCP DNS override set to the internal Pihole IP.

Important to note for the following - I do not use Google DNS:

Now the fun part…just because you say to use it, doesn’t mean everything will. For example, Roku and most FireTV devices are hard coded to use 8.8.8.8 and they do not respect your above configuration.

So next logical step is to setup a firewall rule to not allow that:
Destination Port is 53
Destination Address is NOT <enter IP Addresses you have Pihole pointing to so they don’t get blocked>
Action Type: Block


Done….well, hang on….now the Roku and other devices are freaking out and trying to ping 8.8.8.8 many many times throughout the day. Maybe you care, maybe you don’t…but for me that crap is filling my Firewall block report and I don’t want to look at it anymore.

Next step, at least for me, was to see if I could send those hard-coded requests to Pihole anyway.

Config—>Network—>Port Forward Rules:
Protocol is TCP or UDP
Destination Port is 53
Source Interface is Internal
Destination Address is 8.8.8.8,8.8.4.4,208.67.220.220 (Note: these are the only hard-coded DNS IPs I currently have an issue with)
New Destination: <internal Pihole IP>
New Port: 53

Now, IF you want to see these redirects in the Reports—>Network—>Port Forwarded Sessions…you’ll need to turn on “Log Bypassed Sessions” in the Advanced tab. After a lot of searching on these forums I discovered that internal to internal traffic like this is considered bypassed, so you have to explicitly log it to ensure it’s working. Leave logging on, leave logging off…totally up to you.

Again, this Pihole setup is working well for me right now…but it depends on what all you’re trying to accomplish.

You skipped a step...

You can't specify a firewall app rule, for bypassed traffic. And due to the nature of the way Untangle works against how DNS works, I find it most effective to adjust the bypass rule so that it's source IP limited, then simply have a firewall app rule that blocks everything destined for a WAN interface, over TCP or UDP, and destined to port 53.

There's no need for an exemption in the firewall rule because bypassed traffic won't be processed by the firewall app.

Now you can instead use filter rules instead of firewall rules, as all traffic including bypassed traffic is subject to them. But that needs to be clear here, because we have two firewalls in Untangle. And again those are the Firewall App, and IPTables as configured via Filter Rules.

interesting discussion - however I'm curious about this option:
Config/Network/Internal DHCP DNS
is that an option after v15?
here's what I see:

What is the screen shot showing?

I'll type in what it's showing it's showing, in a row ( in case you are on a phone or something )
Interface -
Hostname -
Services -
Port Forward Rules -
NAT Rules -
Bypass Rules -
Filter Rules -
Routes -
DNS Server -
DHCP Server -
Advanced -
Troubleshooting -

[EDIT]
what it's not showing is the item folks were writing about

On the Interface Tab, click the edit pencil icon for your Internal LAN port...that will open a modal and you’ll see the DHCP Configuration tab.

thanks @Doberman, I was being too literal in my reading~!

I use in my rule a more generic / strict destination address definition like
Destination Address IS NOT <my desired dns>