Add to PiHole-VPN docs - iptables rule to block dns queries to dns resolvers other than pihole


as some people encounter, i had the issue that Pi-hole is not working on Android (in my case 9) WiFi (with or without static DNS) nor on cellular (both) with OpenVPN's push DNS option (pointing to pihole). People in this thread Pi-Hole works everywhere except Android Phones describe Google bypasses the given DNS settings in other sites i read that some cellular ISP-(stations?) force to set DNS resolvers.

My workaround to these kinds of setting DNS resolvers other than pihole is to route all traffic through OpenVPN with PiHole as DNS Resolver as described here: Redirecting... with dropping all dns queries to dns resolvers other than pihole.
I have configured the PiHole to listen on all interfaces, pushed the DNS option with the Pi's IP from eth0-Interface e.i. 192.168.ABC.DEF (also described here: Redirecting...) AND i installed the additional (to Redirecting...) iptables-rules:

sudo iptables -A FORWARD ! -d 192.168.ABC.DEF -i tun0 -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j DROP

This drops all forwarded DNS queries (all udp traffic on port 53) from interface tun0 that has not the destination 192.168.ABC.DEF (e.i. the eth0-Interface IP of the Pi on which the pihole listens)

Please try this out or suggest better solutions/potential issues with this! If there is a good solution, please update* (potentially /firewall ?) so that other also gets ads blocked with OpenVPN+Pi-hole on Android because me already costs this a lot time.

Thank you!

You can always open a Pull request via Pull requests · pi-hole/docs · GitHub

Oh, i didn't see the docs git while scrolling through pihole gits. I will definitely do that!

1 Like

Have you opened a PR? I could not find it....

I tested my approach further on, but sadly it seems to not quite work in all cases. As described in my first post, I set up pihole with OpenVPN. If I connect and test DNS-Resolving e. g. to doubleclick(DOT)net it will be blocked (DNS-Request on port 53 will be block due to the provided iptables rule), if testing with the app Termux. But there are still ads e. g. on YouTube. So it seems there is some custom DNS-Resolving happening within Android?

I haven't investigated this further on. Feel free do to so and open a pull request if this works reliable.

Youtube is a special case. It's not easy to block their ads - search the forum and you will find multiple complex approaches being more or (often) less successful. If the rule works for "general" p53 block this should be fine.

I wasn't aiming in this direction. I clean up the feature request subforum a bit and will remove the "partially-implemented" tag. If you PR something I will add it back :wink:

Ok, i will look into it. Thank you for this hint!