In terms of privacy I think it would be a great addition to have the option to specific the orders of DNS servers used.
Why you might ask so let me explain my situation. I have a vpn. I connect my pihole to the vpn so i can use the VPNs DNS servers and pihole. I think that makes sense. else if I use VPN but say google or cloudflare DNS or any other public server they can track me.
The issue is and here I admit that the connection using OpenVPN can at times just fail so then the network wide DNS fails and say I’m at work and some family member is not, all hell breaks lose and I can’t fix it. So to avoid that I also configure a public DNS. Since which DNS server is used is based on latency I have no control to use the public one as fallback.
Having the option to try DNS servers in the order configured would therefore be a helpful feature for privacy while maintaining availability.
You could write a script that checks VPN connection health and depending on the situation it would change used DNS in Pi-hole via pihole-FTL --config dns.upstreams 1.1.1.1 command. This command will most likely restart FTL and clean the cache. A better approach might be to set Pi-hole to use a local DNS forwarder (stubby, unbound…) and modify forwarder’s config instead.
Could you elaborate on your setup?
What kind of VPN do you have? Do you contract a VPN service provider, or do you run a VPN server on one of your own machines?
How is Pi-hole connected to that VPN?
Why does Pi-hole need to be connected to your VPN?
To force a specific order of resolvers, instead of probing all, you can use the custom dnsmasq config option strict-order. This will make Pi-hole prioritize the resolvers listed in dns.upstreams top-down.
(per man dnsmasq)
To use it, enter it into Pi-hole’s configuration as:
misc.dnsmasq_lines under All Settings > Miscellaneous