PiHole + NordVPN?

Expected Behaviour:

I installed PiHole + Unbound the other day and it was working fine and well.
Decided to get NordVPN today and set it up to run on the router for all devices connected to the network.
Was hoping that the PiHole would still work, but it stopped working. Any help is appreciated.

Actual Behaviour:

When I set my Pi as the DNS server, everything results in SERVFAIL.

For example on my Pi when using "dig dnssec.works @127.0.0.1 -p 5335":

; <<>> DiG 9.18.24-1-Raspbian <<>> dnssec.works @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 21320
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;dnssec.works. IN A

;; Query time: 599 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1) (UDP)
;; WHEN: Sun May 05 12:32:22 PDT 2024
;; MSG SIZE rcvd: 41

Debug Token:

_https://tricorder.pi-hole.net/m0ra1IKo/_

Thank you in advance

Commonly, VPN services would force DNS requests to their own DNS servers, in an attempt to prevent DNS leakages.

In your case, that could mean that unbound will never actually talk to authoritative DNS servers, but to NordVPN's DNS servers instead. Consequently, DNSSEC validation of DNS replies will always fail.

If you intend to use NordVPN as a gateway, you may have to forego using unbound.
Alternatively, you may inquire with NordVPN's support whether it would be possible to address this via NordVPN configuration. However, note that this may leak your unbound's DNS requests outside your VPN tunnel.

Thank you, that makes a lot of sense, but why does it not work when I remove Unbound either?