client VPN changes DNS to 8.8.8.8, circumventing pi-hole

zenjim · September 9, 2019, 10:23pm

Please follow the below template, it will help us to help you!

Expected Behaviour:

DNS should be the DNS of my pi-hole, 10.0.1.24

Actual Behaviour:

When I connect my vpn [HotspotShield VPN], it changes my DNS nameserver to 8.8.8.8, which then completely circumvents my pi-hole.
Anyone know how to change this behavior so that my DNS stays on 10.0.1.24?

Debug Token:

https://tricorder.pi-hole.net/w02ab6u7cp

jfb · September 9, 2019, 10:34pm

Which device are you connecting to the VPN - the Pi, or a separate client on the network? Where is the DNS nameserver being changed?

zenjim · September 9, 2019, 10:39pm

my iMac is connecting to VPN. My DNS is set in my router.

jfb · September 9, 2019, 10:44pm

Is the DNS nameserver on the iMac being reset by the VPN client?

zenjim · September 9, 2019, 10:46pm

yes, exactly

jfb · September 9, 2019, 10:52pm

This is an issue with your VPN client, not with Pi-Hole.

Most VPN services default to routing DNS through their service to prevent DNS leaks.

zenjim · September 9, 2019, 10:54pm

ok, thanks. I've contacted their Helpdesk

jfb · September 9, 2019, 10:56pm

If you want to override it, you can try manually editing /etc/resolv.conf on the iMac while running VPN service.

zenjim · September 9, 2019, 11:07pm

I tried that and from the command line when I do "dig www.google.com" it shows that it used 10.0.1.24. But Safari is still using 8.8.8.8

jfb · September 9, 2019, 11:10pm

Then this would be a setting in Safari. The default for all services on the computer is to use the DNS specified by the OS. Are you running any Safari extensions that can change the DNS to Google?

zenjim · September 9, 2019, 11:14pm

I'm not running any extensions in Safari, except uBlock. But only because pi-hole isn't working with the VPN connected.

I did notice the following statement at the beginning of the /etc/resolve.conf file:

--------------------------
#
# macOS Notice
#
# This file is not consulted for DNS hostname resolution, address
# resolution, or the DNS query routing mechanism used by most
# processes on this system.
#
# To view the DNS configuration used by this system, use:
# scutil --dns
#
# SEE ALSO
# dns-sd(1), scutil(8)
#
# This file is automatically generated.
#
nameserver 8.8.8.8
----------------------------------------------------

so when I run scuttle --dns as it suggests, it shows a long list of entries, the first one being:

resolver #1
  nameserver[0] : 8.8.8.8
  if_index : 15 (utun1)
  flags    : Request A records
  reach    : 0x00000002 (Reachable)
-----------------------

jfb · September 9, 2019, 11:33pm

What DNS is in that file and shown in scutil --dns when the VPN is turned off?

zenjim · September 9, 2019, 11:36pm

in the file and in scuttle --dns, when vpn is turned off is 10.0.1.24.

jfb · September 9, 2019, 11:36pm

OK, then it is your VPN client doing this and not a Safari feature.

zenjim · September 9, 2019, 11:38pm

yeah it's too bad. can't find a vpn that works 100% like I want it to. This one circumvents my pi-hole, and another one I tried that let's me set the DNS causes kernel panics when I use VirtualBox. I just can't seem to win with vpn.

system · September 30, 2019, 11:38pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.