All devices pointed to pi-hole/unbound can't resolve DNS when enabling VPN client at router level
Linux Ubuntu server with pi-hole and unbound. Firewalla gold router with openvpn successfully connected to PIA account.
When I enable the VPN client at my router and apply it to the device running pi-hole/unbound, nothing that points to the unbound can resolve DNS.
Your VPN service provider may forcefully redirect all DNS traffic to its own DNS servers.
If that's the case, unbound may fail to verify integrity and authenticity of DNS replies via DNSSEC, as it does not communicate with the respective authoritative DNS servers for a query, but only with your VPN provider's DNS servers instead.
You'd have to inquire with your VPN service provider whether they would indeed redirect DNS traffic to their own DNS servers, and whether and how it would be possible to circumvent that.
Thank you for your reply. I'm sure you can tell I am still learning about all of this stuff. Since I'm using the router level VPN client, I found a setting in the router for that VPN profile called "Force DNS over VPN" - toggling this issue off I think fixes the issue.
However doing a lot of reading and it seems that this then leaves me open for DNS leak since my DNS queries then come from my own IP address, even if traffic is routed through the VPN - am I understanding this correctly? I see this when I go to various DNS leak test sites, showing my IP instead of the VPN IP. I think I am coming to the conclusion, that I can't use unbound and have that same machine go through a VPN client at the same time without having a DNS leak - I either have to use the VPN DNS and be fully through the VPN, or use unbound and have my DNS leak (when connected to VPN)?
As I was messing with different things, I landed on a different configuration. I have a follow-up question on this. I set up the pi.hole to use QUAD9, removed the custom DNS to unbound in the pi.hole settings - takes unbound out of the picture. Then at my router level, the pi.hole machine is connected to the VPN client. On all other machines in the LAN, I see my normal IP, but DNS leak shows the IP of the VPN DNS. On my pi.hole machine, I see the VPN IP, and the DNS leak shows the IP of the VPN DNS. If I am understanding everything correctly, am I still utilizing the pi.hole, but all upstream DNS is getting funneled to the VPN and bypassing QUAD 9/unbound in this type of setup? Is this a good setup or am I also somehow completely bypassing the pi.hole?
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.