DNS Leak Test shows DNS used is not Cloudflare, but Cloudflare is upstream server for PiHole

Please follow the below template, it will help us to help you!

I’m not sure if this is a PiHole issue but this is the best place to get help as you guys are really good at diagnosing issues. Sorry if this shouldn’t be in the help thread but thank you all for helping! You guys are awesome!

Expected Behaviour:

[Running the test provided at https://www.dnsleaktest.com
Should show that my DNS being used is CloudFlare (1.1.1.1). ]

Actual Behaviour:

_[The extended test from https://www.dnsleaktest.com is showing my DNS queries are being sent to:

I don’t know who these people are or why my system would be sending DNS queries to that IP. I tried in Chrome, which is using my system DNS. I have my system set to use the pihole only for DNS, and the upstream servers are set to CloudFlare.

I also ran the test in Firefox, which I have set the DNS over HTTPS setting to use https://dns.adguard.com/dns-query (just for testing). I would expect running the test from the Firefox browser would show 176.103.130.131 or 176.103.130.130, the IPs for dns.adguard.com. But I get the same result in both browsers.

Maybe I’m misunderstanding how the dnsleaktest website actually works, but if I connect to a VPN I purchased and run the DNS leak test, the dns server IPs show up as the VPN Providers addresses:

]_

Debug Token:

[Replace this text with the debug token provided from running pihole -d (or running the debug script through the web interface]

That IP (the vultr.com one) is the host you are running Pi-hole on (cloud server or maybe your service provider?).

Does it match with the output whatsmyip.org ?

So the host Pi-Hole is on is a Ubuntu laptop behind my Comcast router and the public ip is 24.x.x.x so it’s not from them.

Ok. Then, you should see your Cloudfare IP as your DNS on the DNS leak test.

Unless, you are using IPV6 and your queries are leaking through that.

What you need to make sure is that you have 1 IP set as your DNS ip and that’s the IP of your Pi-hole.

Can you replicate the same result on all devices?

1 Like

The ip of the pihole is the only ip in the dns settings for the machine in question.
image

I can test other machines when I get home (I’m remoted in now). I think I did it on my Playstation as well and saw that vultr.com ip.

I am 99% positive I have ipv6 disabled, but the test would show an ipv6 address if it was leaking.

That’s not true I haven’t yet found a website that will display ipv6 dns servers. That includes dnsleaktest.com

They may mention that you have an ipv6 dns connection but nothing more.

@Jorgsmash, you are just seeing the actual IP of the box you are connecting to for your DNS. If everyone is configured for 1.1.1.1 we are not all hitting the same server somewhere. Cloudflare has a whole network (including vultr.com) that services the world. In the test above that is the specific IP you hit within that cloud of computers serving whatever your DNS destination is.

1 Like

^
Pretty much this

For what it’s worth, when I run that test from my network, it finds either 5 or 6 servers in each of the 6 query rounds, but they all show “Cloudflare” as the ISP.

1 Like

@capboomer Thanks for the clarification. I do however wonder why, as @jec0047 mentioned, it doesn’t show cloudflare as it once did. I have ran this test multiple times in the past to find that the results show Cloudflare. I was concerned because when I looked into the vultr.com company they came back with very poor reviews and I didn’t know or trust these people.

If I were to configure the Pi-Hole to use CloudFlare’s (or AdGuards) DNS over HTTPS do you think the results would differ?

I’m very intrigued by the list that AdGuard has put together here: https://kb.adguard.com/en/general/dns-providers

I would probably use the https://dns.adguard.com/dns-query as my upstream DoH server. I have tried searching for people who have set up their Pi-Holes to use AdGuard’s Free DNS servers (176.103.130.130 and 176.103.130.131) as the upstream servers but I haven’t found anyone who has done that. But I have considered it. What do you think would happen using both a Pi-hole and AdGuard DNS as upstream?

Ubound should be a better choice. I believe that myself, for the simple fact that you do not need third party upstream servers.

You will be “talking” directly with the root servers …

1 Like

I always suggest the following:
Pihole using cloudflared for DoH & I have unbound as a backup DNS.
https://docs.pi-hole.net/guides/dns-over-https/
Use a VPS to setup steisandeffect VPN (run your own VPN server).
https://github.com/StreisandEffect/streisand
Configure VPN for your pihole so all your mobile devices can use your DNS anywhere in the world.
https://docs.pi-hole.net/guides/vpn/overview/

1 Like

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.