Pi-Hole + OpenVPN + IPTables = DNS problem?

I have a raspberry that has been running on pi-hole for about 2 years. The other day I decided to watch Netflix on the US version. I decided to pour an OpenVPN on the pi provided, where it also runs pi-hole, and use it as a VPN router for TV.

Said and done, I installed, connected, all right. I put some IPTables rules from here: Configuring Raspberry Pi as a VPN gateway using NordVPN with best server selection (Pi-hole with DoH setup optional) :

sudo iptables -F
sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
sudo iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT

sudo iptables -A OUTPUT -o tun0 -m comment --comment "vpn" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p icmp -m comment --comment "icmp" -j ACCEPT

Well, some problems have arisen since this phase. Some sites load me super hard or not at all. How do I know it's a DNS problem? I put in the pi-hole Google's DNS and everything works perfectly.

Since I'm not very good at IPTables and I intuitively set these forward rules from that guy's website, I don't realize what's wrong, so the opinion of a master on networking would be useful.

A lot of this seems unnecessary.

For instance,

adds rules allowing you to use ssh through the firewall. However, there are no other rules that limit anything in the firewall so they are just not doing anything.

amends comments to the packets which are never used anywhere else by the firewall.

So only the central command block is doing anything at all.

So which DNS server do you use when Google works perfectly fine? Do you use a DoT setup? If so, I'd see the problem on this side.

Try a dig query to this server to check how long it needs to reply:

dig whatever.com @ip.of.your.used.server - p portofyourusedserver

We can help with this if you want.

Makes sense. Thank you.

This site is one of those that loads very slowly.

silviu@Silvius-MacBook-Pro ~ % dig stirileprotv.ro @192.168.88.104

; <<>> DiG 9.10.6 <<>> stirileprotv.ro @192.168.88.104
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11011
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 6, ADDITIONAL: 12

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;stirileprotv.ro.		IN	A

;; ANSWER SECTION:
stirileprotv.ro.	600	IN	A	185.133.64.100
stirileprotv.ro.	600	IN	A	185.133.64.99

;; AUTHORITY SECTION:
ro.			3382	IN	NS	sec-dns-a.rotld.ro.
ro.			3382	IN	NS	sec-dns-b.rotld.ro.
ro.			3382	IN	NS	dns-c.rotld.ro.
ro.			3382	IN	NS	dns-at.rotld.ro.
ro.			3382	IN	NS	dns-ro.denic.de.
ro.			3382	IN	NS	primary.rotld.ro.

;; ADDITIONAL SECTION:
dns-c.rotld.ro.		3382	IN	A	194.0.11.113
dns-c.rotld.ro.		3382	IN	AAAA	2001:678:e:113::53
dns-at.rotld.ro.	3382	IN	A	78.104.145.6
dns-at.rotld.ro.	3382	IN	AAAA	2001:628:453:bb::6
dns-ro.denic.de.	3382	IN	A	81.91.161.99
primary.rotld.ro.	3382	IN	A	192.162.16.18
primary.rotld.ro.	3382	IN	AAAA	2a03:5e80:0:4:192:162:16:18
sec-dns-a.rotld.ro.	3382	IN	A	192.162.16.20
sec-dns-a.rotld.ro.	3382	IN	AAAA	2a03:5e80:0:4:192:162:16:20
sec-dns-b.rotld.ro.	3382	IN	A	193.230.31.230
sec-dns-b.rotld.ro.	3382	IN	AAAA	2a03:5e80:0:5:193:230:31:230

;; Query time: 443 msec
;; SERVER: 192.168.88.104#53(192.168.88.104)
;; WHEN: Mon Feb 08 11:01:53 EET 2021
;; MSG SIZE  rcvd: 458

silviu@Silvius-MacBook-Pro ~ % dig stirileprotv.ro @8.8.8.8

; <<>> DiG 9.10.6 <<>> stirileprotv.ro @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45171
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;stirileprotv.ro.		IN	A

;; ANSWER SECTION:
stirileprotv.ro.	33	IN	A	185.133.64.100
stirileprotv.ro.	33	IN	A	185.133.64.99

;; Query time: 20 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Feb 08 11:02:12 EET 2021
;; MSG SIZE  rcvd: 76

Same with www.netflix.com:

silviu@Silvius-MacBook-Pro ~ % dig www.netflix.com @192.168.88.104

; <<>> DiG 9.10.6 <<>> www.netflix.com @192.168.88.104
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45218
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.netflix.com.		IN	A

;; ANSWER SECTION:
www.netflix.com.	14363	IN	A	92.249.37.2

;; Query time: 141 msec
;; SERVER: 192.168.88.104#53(192.168.88.104)
;; WHEN: Mon Feb 08 12:48:41 EET 2021
;; MSG SIZE  rcvd: 60

silviu@Silvius-MacBook-Pro ~ % dig www.netflix.com @8.8.8.8

; <<>> DiG 9.10.6 <<>> www.netflix.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50400
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.netflix.com.		IN	A

;; ANSWER SECTION:
www.netflix.com.	230	IN	CNAME	www.dradis.netflix.com.
www.dradis.netflix.com.	5	IN	CNAME	www.eu-west-1.internal.dradis.netflix.com.
www.eu-west-1.internal.dradis.netflix.com. 5 IN	CNAME dualstack.apiproxy-website-nlb-prod-3-ac110f6ae472b85a.elb.eu-west-1.amazonaws.com.
dualstack.apiproxy-website-nlb-prod-3-ac110f6ae472b85a.elb.eu-west-1.amazonaws.com. 5 IN A 3.251.50.149
dualstack.apiproxy-website-nlb-prod-3-ac110f6ae472b85a.elb.eu-west-1.amazonaws.com. 5 IN A 54.74.73.31
dualstack.apiproxy-website-nlb-prod-3-ac110f6ae472b85a.elb.eu-west-1.amazonaws.com. 5 IN A 54.155.178.5

;; Query time: 47 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Feb 08 12:48:58 EET 2021
;; MSG SIZE  rcvd: 247

Quoting the relevant parts to make discussion easier:

What we can say from this: 192.168.88.104 is certainly slower than 8.8.8.8

First case: It is severely slower.
Second case: Not so dramatic.

Let's focus on your first test: Assume Netflix loads various resources from different subdomains (I don't know if they do it, but I guess so). Say 20 external resources. This would make on the order of 8 seconds time until all DNS is resolved (simplification assuming they are serial, which they are typically not). Google would still be less than one second.
Here you would clearly see the difference.

In the second case not so much.

I see the guide recommends using cloudflared. This may just be awfully slow over the VPN you chose. Does this slowness remain if you disable the VPN or point it to different countries? If so, you may just have to get rid of it and do something else.

The Pi-hole team always recommends to become your own DNS upstream which is very simple using their excellent guide. By this, you become completely independent from any upstream provider (such as Cloudflare) and nobody gets your browsing habits. I'm sure Cloudflare records and sells it the same way Google does...

Sorry for the eventual confusion, but on my local laptop, I don't use VPN. The VPN is used only for TV. All other devices use the default DNS configuration provided by pi-hole.
Then, the problem with Netflix is on regular devices. It takes 30-40 seconds to load. My internet speed is about 300MB/s.

When I'm not using pi-hole as a DNS server, the website is loaded in < 1000ms. That's why I initially asked if it's a conflict from the iptables configuration.

Now my confusion is perfect

When you say

don't you mean you exchange your cloudflare by Google inside Pi-hole? Why would you say put in the pi-hole otherwise?

So

also happens when you select Google as upstream inside Pi-hole ?

Maybe this doesn't work or I don't understand it. Does it mean that all traffic from the Pi running Pi-hole is routed through the VPN? Or something different?

Let's recapitulate.

1. Pi-hole (192.168.88.104) with OpenVPN installed.
2. A smart TV
3. I use (or I want to use) the VPN only for the TV, not for all devices
   3.1. On the TV I have set the IP of the pi-hole as router IP instead of my real Mikrotik router
4. On the other devices (on TV it's all ok) served by the Mikrotik router and Pi-hole, like laptop, phone - this DNS issue is happening

I dug more and I found that

That IP solves to my VPN provider IP instead of Netflix A records.

Another example:

silviu@Silvius-MacBook-Pro ~ % dig cdn.cookielaw.org @192.168.88.104

; <<>> DiG 9.10.6 <<>> cdn.cookielaw.org @192.168.88.104
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37940
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;cdn.cookielaw.org.		IN	A

;; ANSWER SECTION:
cdn.cookielaw.org.	2	IN	A	0.0.0.0

;; Query time: 4 msec
;; SERVER: 192.168.88.104#53(192.168.88.104)
;; WHEN: Mon Feb 08 17:21:13 EET 2021
;; MSG SIZE  rcvd: 51

The record here is not resolved by all.

Now, I don't know why this is happening. Is it because of that iptables rules? If yes, why happen only to Netflix and other random websites, not to all?

No. This is the answer directly upplied from the DoH service you are using cloudflare. The firewall rules of iptables have no capabilities to modify DNS records in any way. They can either permit or block them. Well, they could also re-route them but that cannot happen with DoH as a rerouted reply would be discarded (certificate mismatch).

Do you get the same reading when using Google as DNS server inside Pi-hole (change it on the settings tab of the web interface).

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.