When I first set up my home network using my OPNsense router and was learning firewall rules, I took the approach of allowing only the Unbound DNS service on OPNsense to be accessed and blocking access to all other DNS servers. This simplistic approach works well enough since any rogue access to external DNS servers are simply blocked. Only the DNS resolver on the local network is allowed (unless the DNS requests are encrypted, of course – see note below).
Pi-hole is open source software which provides ad blocking (and more) for your entire home network. It does this by blocking known ad serving domains. Pi-hole even has the ability to block network requests to malicious domains if the domain name is contained in one of the block lists.
The high level statistics compiled by Pi-hole provides a much greater insight to what is going on in your home network.
Now that you have Pi-hole and Portainer setup within Docker (perhaps on a Raspberry Pi (affiliate link)?) and you notice that an update is available for Pi-hole, you may be wondering, “How do I update Pi-hole”? Sure, you can pull a new image and restart it via the command line. However, you have a nice graphical interface setup and you may enjoy looking at it rather than a console window (sacrilege for the command line folks, I know).
In my home network I wanted to set up a dedicated Pi-hole installation so that I could have network-wide ad blocking. Additionally, I could reduce the telemetry/tracking performed by applications and operating systems as well as potentially block malware. Pi-hole provides the ability to view the DNS traffic on my network on a per device basis, which may present valuable insight in detecting unusual activity on the network.
While OPNsense can be configured to provide DNS blocking, I really like the graphs and logging of Pi-hole.
Setting up the Pi-hole DNS service is relatively straightforward on your home network. When you have VLANs configured, the setup is slightly more complicated. The issue is that you need to ensure that all of your VLANs have access to the Pi-hole server which is located on a different network (ideally, it should probably be located in your management VLAN to protect it from being accessed by your other network devices).