I've already configured my router and pi-hole to automatically change the DNS server of my devices when connected to my router, all my device work excellent when connected to my router except for the new laptop with windows 11 that I just bought.
I've tried everything from flushing and renewing my DNS to even manually change my DNS server from the network adapter on my laptop, reboot and update PiHole, but it still shows my real ISP on dnsleaktest on my new windows 11 laptop. I'm not sure if this is a PiHole issue or my new laptop issue hopefully someone can help me out, cheers.
I've already tried deleting the 2nd DNS server on my router and restart both my router and pi-hole and my DNS still leaks. I've also tried manually configure DNS server and IP address on my new laptop and the same thing still happen.
all my other device that connects to my network work as expected, it's just my new laptop with windows 11 that is leaking my DNS.
Yes, I've triple checked them from command prompt, network properties, and the default windows 11 network app they all reporting 192.168.1.3 (pihole) and 1.1.1.1 as DNS server from the automatic DHCP server. I've compared my network setting with my old laptop and they're exactly the same setting, I don't understand why the new laptop is leaking my ISP DNS but all my other devices doesn't leak my ISP DNS.
That would be true if you'd expect your clients to by-pass Pi-hole via 1.1.1.1 at their discretion.
If you do not intend Pi-hole to be by-passed, it must be the only DNS resolver for your network.
Your debug log suggests that you have link-local IPv6 connectivity.
Did you check your IPv6 configuration?
On your Win11 laptop, what's the output of
ipconfig /all
We'd only be interested in the DNS server section.
ok, so I've set my router DHCP server to my pi hole only as a DNS server and reset my whole router and pi hole. The reason why I put 1.1.1.1 on my secondary DNS server on my router is for my network redundancy, in case my pi hole failed others in the house still can browse the internet without the pi hole.
sorry I don't know anything about IPv6 as I've never used them before, how do I check whether i have IPv6 link-local connection?
ok so I did some more research regarding my DNS leak and made some more adjustment to my pi hole and laptop.
I've disabled my router DHCP server and enabled my pihole DHCP server
I've disabled all of my new laptop and router IPv6 capabilities be it wired or wireless
and somehow that made my DNS leak worst, all my devices now shows my real ISP on dnsleaktest.com
the only way I can mask my DNS back is to turn on the DHCP server on my router and put cloudflare's DNS server bypassing the pihole altogether.
As said, your debug log was suggesting that much (click for details):
The following section shows your Pi-hole host machine's eth0 interface to carry a link-local IPv6 (range fe80::/10), but no public GUA IPv6 addresses (range 2000::/3).
*** [ DIAGNOSING ]: Name resolution (IPv6) using a random blocked domain and a known ad-serving domain
[✓] join.thewritingrevolution.org is :: on lo (::1)
[✓] join.thewritingrevolution.org is :: on eth0 (fe80::<redacted>37)
[✗] Failed to resolve doubleclick.com via a remote, public DNS server (2001:4860:4860::8888)
It also shows that Pi-hole cannot resolve requests when using Google's DNS server IPv6 address as upstream resolver.
Both findings combined imply that your network does not have public IPv6 connectivity, but link-local IPv6 communication is a possibilty.
That's looking good.
It shows that the machine it was run from is aware of Pi-hole's IPv4 address only - no router IPv6 address that would allow that machine to by-pass Pi-hole.
Now that we've sorted your router's configuration, let's take a look at your original observation:
Technically speaking, a DNS leak can only occur if you would connect to the Internet through some VPN service.
That means whatever DNS leak test you have been running, the results would be relevant only for such clients that would connect to the Internet using the services of a VPN provider.
If you do not use a VPN provider, then the 'leak test' is doing nothing more than showing you the DNS server IP addresses that your network is sending DNS requests to.
Mind that most of those DNS leak tests are actually offered by VPN providers, as a means of verifying a VPN(!) connection doesn't leak DNS, and probably as means to attract new customers (by appealing to fears about DNS leakages).
I did my DNS test on dnsleaktest.com, and since I've configured my router to bypass the pihole my other devices is back up with cloudflare's as my ISP on dnsleaktest.com, but my new laptop for whatever reason is still connected through the pihole making it show my real isp on dnsleaktest.com. I am going to try and disconnect my pihole from my network to see if my new laptop still leak my DNS next.
You do not have a DNS leak.
There is no leak if you are not using a VPN service.
Whatever page your are looking at - it just reflects what public DNS server your network has been using, as triggered by that test page.
If that is unexpectedly deviating for your Win11 client, that may hint at a client-specific by-pass of your network's DNS resolvers.
We've eliminated the DNS by-pass your router allowed via 1.1.1.1.
(Note that your leak test did not (and could not) reveal that - your debug log's Discovering active DHCP servers section did that.)
If DNS requests of your Win11 do not end up at one of Cloudflare's IPs, then some software your client is not respecting DNS resolvers as distributed by your router.
A likely such candidate would be a browser using DNS-over-HTTPS.
Make sure the browser you are using does not have has DoH enabled.
If none of your Win11 browsers is using DoH, let's check whether DNS requests would make it to Pi-hole.
Run from your offending Win11 client, what's the output of the following commands:
nslookup pi.hole
nslookup flurry.com
When executing those requests, closely watch Tools | Tail pihole.log:
Do both of these requests shop up?
I've checked my old laptop it turns out this was enabled in both my Firefox and Chrome browser, and when I disable them I get the same problem as my new laptop. As soon as I enable DoH on my new laptop it doesn't show my real ISP anymore on dnsleaktest.com
Also I just had a read on the internet about my ISP blocking all public DNS forcing users to use their DNS only, so that might be why all my devices (which has DoH enabled by default for some reason) is showing my real ISP DNS on dnsleaktest after I turned them all off.
I think I'm just going to enable DoH on my devices to mask my DNS for browsing rather than figuring a way around this.
As explained, a browser with DoH enabled will by-pass Pi-hole.
If you want to evade your ISP's DNS resolver enforcement via DoH, you could consider to setup a DoH proxy like cloudflared on your Pi-hole host machine and use that as Pi-hole's only upstream DNS server.
Thank you so much for your help! you've been so patient and helpful, I will have a read at the guide and set it up on my pi hole and I will let you know the result.
Update: just finished setting up cloudflared on my pi hole and everything works correctly, no more DNS leak on all my devices. Thank you so much everyone for the help
