My setup is: Android phone connected to a custom OpenVPN server.
OpenVPN is pushing my Pi-Hole server as primary (and only) DNS server.
Wi-Fi settings on Android are set to static IP address, and my Pi-Hole server is the only DNS server set - just in case OpenVPN setting does not take precedence.
Private DNS is set to disabled.
If I go to my Pi-Hole admin console, I can see that the DNS request are going through it. I have a lot of query log for my Android device, and some domains are blocked as expected. But the thing is, It doesn't block anything on my Android device. Pi-Hole Ad Tester – Fuzz The Pi Guy for example is loading ads, even if Pi-Hole is saying that it blocked some stuff.
dnsleaktest.com tells me I'm using OpenDNS servers (which is what I set up on Pi-Hole so I guess it makes sense?)
Any idea what am I missing? Or is it possible that Android is forcing a DNS fallback on something else (probably Google DNS I guess) on a system level?
Aaaaand I might have a partial answer to my own problem...
It looks like it's related to chrome and/or whatever built-in system is set with Android.
When using another browser (firefox or duck duck go for example): it works as expected. I manually added some domain names suck as ebay.com and stuff, and it doesn't load on FF/DDG. On Chrome/The built-in navigator (which is chrome behind the scene) it loads. So it does look like Chrome/Android has a built-in fallback mecanism for DNS resolution failure.
Can someone confirm that? And most importantly, does someone knows how to solve this issue and how many apps it impacts? I guess the only other solution would be to use a private DNS such as AdGuard?
Check your Chrome browser settings for Private DNS or Secure DNS. If these are on, disable them. These settings route DNS traffic through a DoH server and result in a Pi-hole bypass.
Woohoo! Thanks a lot I didn't know there was a specific secure DNS option on Chrome. It's working now!
I was looking into setting pihole as a private DNS using let's encrypt and nginx but I'm new to tlet's encrypt and I'm having issue generating my cert. Any chance someone can help me with that?
I didn't know there was a specific secure DNS option on Chrome. It's working now!