Help to solved DNS leak on pi-hole+NordVPN

I'm having trouble getting this right.
Situation; I have setup NordVPN in my Synology NAS via the builtin OpenVPN client to protect my LAN network and I've also setup Pi-hole docker on the Synology to block ads etc.
So when connecting via a client (computer or phone etc) every request is going through the VPN and pi-hole to the internet so far so good. But when I check for DNS leak IP (NordVPN IP) and the DNS server doesn't match. See screens for explanation.

pi-hole upstream point to NordVPN DNS server
Screen_Shot 6

Also I've edited the vpnserver.ovpn file and add dhcp-option DNS
When check DNS Leak I see this:
Screen_Shot 3

Config network computer:
Screen_Shot 7
router ip is Synology acting as gateway

Screen_Shot 8
ip pi-hole

Any idea how to solve this problem?

I do not see any problem here, but that is probably due to lack of information. :wink:

Are you sitting in Montreal?
If not, your VPN provider is successfully camouflaging your true location.

Is your ISP's DNS server?
If not, your VPN provider is successfully redirecting DNS traffic away from your ISP.

Also, you may want to browse through your VPN provider's information on DNS leaks and how to interpret tests directly at NordVPN.

Montreal is not my real location it is the NordVPN location I've chosen to test and also is the DNS of my VPN provider (NordVPN).

I thought that both the IP addresses shoud be the same and no waring of DNS leak should be there

This how it shows without pihole in the middle:

So thats why I was under the impression that there was something wrong :wink:

From a DNS (leak) perspective, you need to contain the DNS requests within the range.

So basically, your devices need to ask a DNS server located in the range (

This is at IPV4 level. If you have IPV6 enabled, the queries might go (will) though the IPV6 DNS server which (I bet) is different form the Pi-hole IPV6 IP.

This applies to the VPN side of things too, as IPV6 DNS ip (on the client) might override the VPN DNS IP.

Those will most likely not work as the request needs to be authorized by the DNS as in belonging to a NordVPN IP.

You really have everything tangled here.

A clean way of having this working would be like this:

Pi-hole DNS - anything public for upstream (recommending unbound?) or if you know NordVPN allows public requests to them, you can keep those but i doubt they allow anyone to use DNS servers (unless you are on their subnet).

Synolgy at LAN settings use the Pi-hole IP ( as the DNS).
This is where it gets tricky.
For the VPN server, you need to specify the same Pi-hole IP as the dns so dhcp-option DNS is the approach you need to take.

While I own a Synology, I never used the VPN part of it, so I really don't know the implementation and the IPTABLES rules within.
I use separate dedicated OpenVPN servers, most on raspberry Pi devices, the very same ones that host Pi-hole.

If everything is correct, your client should get an OpenVPN server provided IP when connected, and use the Pi-hole IP.

Now, since you are bypassing the OpenVPN and hence NordVPN DNS, while your connection goes through your NordVPN and hence the NordVPN IP, your DNS query will go through your home IP.

If you want to pas everything though NordVPN, you will most likely lose the ability to use Pi-hole when connected to VPN.

When you say a client, you mean local network right? Not VPN-ed in.

If that's the case, Your DHCP server needs to push the DNS with the IP of the Docker Pihole and Pi-hole's upstream need to be set as the VPN server's IP from the VPN server (not the NordVPN upstream).

Thank you for your detailed explanation.
The way you wrote it down, that's how I set it up. Probably got a little tangled up in my questions and explanations. :grimacing:

To answer your question why I use NordVPN's DNS servers is because they recommend it on their support page. What are your DNS server addresses? | NordVPN Support

I also tried other DNS servers like Quad9 but it gave the same result.

What about IPV6?

Is that enabled? If yes, disable it network wide and try again.

IPv6 is network wide disabled. It was never enabled.

The strange thing is if I put the VPN IP ( when it is connected) in the upstream of pihole nothing happens I cannot connect to the internet (followed your steps exactly) but when I put the NordVPN DNS server IP in the pihole upstream it connects to the internet but then I have the two different IP addresses as the screenprint above.

If I do the same thing with ProtonVPN instead of NordVPN and I put the IP address of the vpn when it is connected in the upstream of pihole it works and the DNS leak test doesn’t show a leak.
I hope you understand what I’m trying to say :thinking:

How is your Pi-hole set-up under listening behavior?

Is it set to Allow all, permit all origins ?

Yes it is set to Listen on all interfaces, permit all origins
I have tried all the 3 preferences, but non of them made a difference

Only reason I can think of is something settings related as it works with one but not the other ....

Could it be specific NordVPN related, that they are blocking something that is necessary for the communication between lan and the vpn. Or is it related to communication between Synology lan and docker.

That I don't know because I didn't run anything in docker. But... Is the other one (Proton) ran in the same place?

It could both ....

Yes same place. The openvpn client is on my Synology and pihole is running in the docker on the same nas.

I could try to run openvpn on my old nas and the connect pihole to that connection and see what happen

1 Like

So I have connected my old nas to a NordVPN server (openvpn)
And than I pointed pihole (docker) upstream to that nas with the vpn connection (I added the nas ip in the pihole upstream) and ...guess what. It is working, no dns leak when testing.

So I guess it’s a communication problem when connected on the same machine. I need to figure out how to let the nas communicate with docker on the same machine.