I have all traffic pointed to use openvpn on my Asus router.
This includes the Pihole machine.
Should the Pihole machine be pointed to use the WAN instead, or this doesn't really matter?
I am not referring to adding Phiole's IP address to the WAN or LAN...
I am referring to.. My Asus router has an option where I can point devices to either the VPN or the WAN.
Just want to make sure if I should be pointing Pihole to WAN or not or whether it matters or not.
Thanks in advance.
As long as your Pi-hole can reach its upstream DNS servers it should work either way. If I've understood what you're describing correctly, the only difference in operation is who is routing your DNS traffic.
Using the WAN setting your ISP will be responsible for that. You wil have the option of using your ISP's DNS servers too.
Using the VPN setting, your VPN provider will instead be responsible for that, and your ISP will just be responsible for routing you to your VPN. Your ISP's DNS servers probably won't work here, since it will see requests coming from the VPN provider and not from you.
Using a public DNS provider, like Cloudflare, will work either way, and as long as Pi-hole can indeed reach that then you should be good either way, it's a personal choice as to whether you trust your VPN provider or ISP more.
Maybe I didn't explain correctly what I am referring to. I am not referring to Upstream connection.
The Pihole is configured to be the only DNS server available.
Here is screenshot of what I mean. This Asus router has VPN Director section where you can point devices to either the WAN connection or the VPN.. take a look...
My question is whether the Pihole should be set to the WAN connection or the VPN since all traffic is routed to it... or, it really doesn't matter?
I think we are both talking about the same thing here. From your router's point of view it doesn't care what the client called "Pihole" is doing or what its purpose is. All that screen cares about it should "Pihole" have its outbound traffic be sent to the WAN (which I assume means normal without the VPN) or the VPN.
The outbound traffic from Pi-hole is its queries to its conffigured upstream DNS servers. Plus adlist updates, version checks and so on.
So the question is should Pi-hole's upstream DNS queries be sent out as normal or via your VPN. My earlier reply references that decision.
oh ok. Sorry that's my bad for not understanding your post. So, in the end, it doesn't matter..then I will just leave it as is, to use the WAN then.
The way I was thinking about it was.. if my router didn't have this VPN Director option, all traffic will be sent to the WAN anyway..but just wanted confirmation.. thanks for your help.
The upstream I have in Pihole GUI is the router 192.168.1.1 and the router is set to only use Pihole as the DNS server.
This will cause a DNS loop.
Pi-hole queries the Router => Router queries Pi-hole => Pi-hole queries the Router => ...
For external upstream DNS servers I guess the VPN is going to add several millseconds of delays to every single lookup, so you keeping that off the VPN is probably the better choice. By all means try both to see what happens.
When you say "the router is set to only use Pihole as the DNS server" do you mean
If 1 then you've said "The upstream I have in Pihole GUI is the router 192.168.1.1". This means that clients on the network:
In this configuration your VPN question means that all you need to consider from the Pi-hole is things like adlist updates and update checks, OS updates, etc. Pi-hole's DNS requests are not leaving the network since they are going to the router, which then sends them on to whatever it has configured as its upstream DNS server.
But if 2, then that sounds broken, causing a loop. Clients can ask either the Pi-hole or the router, depending on which one the DHCP server is configured to give out. But then:
This is how I saw it being setup in an Asus router forum, so this is why I set it up this way.
I may not be explaining everything correctly as I lack the terminology..let me show you my router setup.
I have it so all traffic uses the pihole to filter ads, but I also use OpenDNS as the upstream to filter content.
So I said previously Pihole is the ONLY DNS server, but I forgot about OpenDNS.
Let me know if this is still a DNS loop...
LAN DNS
WAN Upstream
DNS Filter
Here is the token https://tricorder.pi-hole.net/yt7O9cHB/
In my mind, this way would be the same as selecting the 2 OpenDNS options from the Upstream server section in Pihole GUI..right?
What would be the difference, between selecting the Upstream DNS server in Pihole vs at the router?
Isn't it supposed to be..
client ---> Pihole ---> Upsream DNS.... right?
To me that sounds about right. Your setup looks ok to me as well.
You would have a DNS loop if you had Pihole assigned as the Upstream DNS server, which according to your pics, it doesn't look that way to me because you have OpenDNS as your Upstream server.
When you say this....
You are correct, I don't see a difference because Pihole doesn't care what the Upstream DNS server is... as long as it is a working one.
But again, this is my opinion only and I'm sure someone else will take a peek and advise you.
Thank you Soapy..
Can anyone else chime in?
As @Soapy writes it's working but I think it could be "tidied up" a little to simplify and speed it up a touch (fewer hops around). Your setup is secnario 1 in my earlier reply, and the final bullet point question is that you're router is using OpenDNS as its upstream.
At the moment your resolve path is:
As you mention you could change the Pi-hole upstream to be the same OpenDNS servers directly, by selecting both IPv4 checkboxes, and remove the Custom 1 entry for the router. Now the resolve path would be:
The router's LAN DNS is still there but no longer being asked for anything. This will always be the case with these home routers, they come with DNS included but Pi-hole can take over the role no problem, putting the router's DNS on the sidelines. Always good to know the router's DNS is still there to be used once again if ever needed.
Meanwhile your router's DHCP settings are okay, it is handing out the Pi-hole for LAN DNS. And the router's VPN/WAN setting is also good set to WAN, this will allow the Pi-hole to access adlist updates, Pi-hole updates, OS updates, etc directly without dragging it all through the VPN. That remains a question of who you trust, ref my first reply.
All in all a good setup. How is Pi-hole working for you? Hopefully working well and catching a lot of stuff.
Thank you, that actually makes sense!
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.
