If my pi is behind a VPN, do the DNS queries to DNS root servers from unbound get routed through the VPN? Do DNS queries from unbound to root servers go through a VPN?

If my pi is behind a VPN, do the DNS queries to DNS root servers from unbound get routed through the VPN? If not, both my VPN provider as my ISP would know the websites I’d visit, which might arguably be worse than not even running a VPN.
So, do the DNS queries get routed through my VPN?

The scenario is this:
Dns request for google.com to pi hole (from localhost or external)
Pi hole checks blacklist and cache.
Not in there? Ask the dns provider, in this case unbound.
Unbound asks the dns root root, gives com root. Unbound asks com root, gives google root. Unbound asks google root, gives ip.
So my question is whether the unbound requests to the dns roots/google go through vpn.

IF you host your own VPN server on the same device as Pi-hole, you would have the request go like this:

VPN Client --enryptedVPNquery–>VPN Server/Pi-hole------>Unbound (and roundtrip).

If you use a VPN provider then your DNS request would go first through them and their VPN connection forced DNS.

It’s a bit tricky to get Pi-hole to work with a provider VPN.

Lots of fireworks needed, at settings level to force the request to bypass the provider’s DNS parameter.

I’m still fairly new to this game so please be skeptical of my advice, but… I think Viscosity could be the only firework needed.

It seems to manage routing very effectively at a granular level and is pretty straightforward. You can download the configuration of your chosen provider VPN, plug it into viscosity, then play with the settings—one of which is specifying the DNS for the vpn connection (use vpn’s settings, ignore vpn’s setting and specify your own…).

I just started playing with this and I’ve only checked results using dnsleak, but so far the results have shown Viscosity does what it says. Regardless of the merits or reasons for either option, it lets me chose my own DNS server or the VPN’s for a given connection.

Problem solved.

sudo tcpdump udp -n -s 1500 -i tun0 port 53

on my pi.
The requests went to the internal ip of my VPN. So all is fine.
The answer to my initial question is: yes.
Mystery solved.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.