PiHole + Unbound - DNS views with Wireguard VPN

mrc989 · August 28, 2024, 7:56am

Hi,

first of all, thanks to all those involved in the development of PiHole - this is just so great!

Secondly, I've done a lot of reasearch before deciding to finally post. In short, this is my situation:

PiHole running on a RaspberryPi at IP 192.168.1.10 and acting as DHCP and DNS server - the DNS server is "recursive" and uses Unbound as specified in this guide: unbound - Pi-hole documentation
Self-hosted services running in Docker containers on another Linux machine at IP 192.168.1.15 (behind a reverse proxy)
The reverse proxy on the Linux machine residing 192.168.1.15 can be reached from outside the local network thanks to Cloudflare tunnel (I've used this solution to avoid port forwarding)
I've also configured Wireguard VPN running on an OpenWrt router (subnet 10.14.0.0)

The "issue" is very simple: one of the self-hosted services is a music streaming service reachable via Cloudflare tunnel at (e.g.) "music.myserver.com".
This works fine when I'm outside the local network but it is a "PITA" when I am in the local network: streamed music must go through Cloudflare tunnel and, given my poor upload speed (minimum guaranteed bandwith 0,512 Mbps)...it is very slow.
Therefore I would like that requests to "music.myserver.com" are replied with:

the reverse proxy address when I am in the local network, to avoid using Cloudflare tunnel
the DNS provided by Cloudflare when I am outside the local network (with or without VPN) so I can reach my reverse proxy through Cloudflare tunnel

At first I've tried configuring Local DNS Records on PiHole in order to point "music.myserver.com" to the reverse proxy at 192.168.1.15. This works fine, but now we put Wireguard VPN in the equation.
Basically, I setup Wireguard on my Android phone so that, when I am out of the local network, DNS requests get forwarded to PiHole running on 192.168.1.10. Again, this works.

The issue is that when I try to access "music.myserver.com" outside the local network through the VPN, the DNS request through Wireguard is forwarded to PiHole, which in turn replies with the IP of the reverse proxy on 192.168.1.15.
Since I use Wireguard VPN only for DNS requests and not for "all network traffic" (again, slow upload speed), of course I cannot access the reverse proxy and thus the music streaming service.

I've found another topic with a situation similar to mine: Conditional DNS Resolution for Home Server Access from Local Network and VPN

Thus, I've tried configuring Unbound with DNS views.

Specifically I've edited Unbound default configuration at /etc/unbound/unbound.conf.d/pi-hole.conf and added:

server:
    .... default config found in the guide....
	access-control-view: 192.168.1.0/24 local-view

view:
    name: "local-view"
	local-zone: "music.myserver.com" redirect
	local-data: "music.myserver.com A 192.168.1.15"

Unfortunately, above configuration doesn't work.
Pings to "music.myserver.com" are always replied with Cloudflare IPs, notwithstanding the network I am in (local/VPN/without VPN).
I am most probably missing something, but I cannot understand what.
That is why I am asking for your help.

Bucking_Horn · August 28, 2024, 8:30am

Since you are serving music from your home network, wouldn't that mean that accessing that server via its public IP is always subject to low bandwidth?

In that case:

Did you consider to allow access to internal devices through the WireGuard tunnel?

This shouldn't be noticably slower than accessing it via your public IP, and it would allow you to access other local services as well.

mrc989 · August 28, 2024, 9:11am

Thanks for your reply!

Yes, indeed, but:

when I am in the home network I can "cache" music to my device, at least those playlists that I listen to most frequently (btw: I am using Symofonium on my Android device and Subsonic as streaming server). Caching while going through public IP takes ages, whereas caching while connected to local network is of course much faster.
I've set up a Cloudflare tunnel so that I can access the reverse proxy even on devices that cannot be part of my own Wireguard VPN (e.g. office computer)

I'll look into that - at first on my Android device I was passing all traffic through the Wireguard tunnel and it was way too slow (even just opening this forum took a few seconds). Maybe what you suggested could be at least a partial solution, even though it would still require Wireguard to be configured.

Thanks.

mrc989 · September 1, 2024, 9:31am

I've just edited my Wireguard configuration both on the OpenWrt router and mostly on Android Wireguard client - now I can indeed access internal devices and I would say that the configuration is satisfying.

Specifically, on the Android Wireguard client I've configured as Allowed IPs my PiHole residing at 192.168.1.10 - for DNS resolution - and the reverse proxy on the Linux Machine, residing at 192.168.1.15.

On the PiHole I've configured Local DNS Records so that music.myserver.com points to the reverse proxy at 192.168.1.15.

Now, when I am connected to my own WiFi and thus I have access to my LAN and the Wireguard tunnel is either active or inactive, when I access music.myserver.com with my Android device I am indeed directed to the reverse proxy at 192.168.1.15. When I am not at home (so either connected through mobile data or some other WiFi), when the Wireguard tunnel is active I can still reach my reverse proxy thanks to this configuration. So Bucking_Horn solution works!

I must add that, at first, when connected to my own WiFi, my Android device wouldn't want to reach my proxy unless the Wireguard tunnel was active. After checking some additional posts (such as this: Android device bipasses pi-hole ) I happened to understand that the IPv6 DNS configuration (or mis-configuration) on my APs was somehow "interfering" with the DNS resolution on Android devices, which were basically bypassing PiHole DNS server. So I have completely disabled IPv6 on my Openwrt APs (I have several around the house).

I also took an additional step in order to force all DNS queries from all devices (even those with hard-coded DNSes) to go through PiHole - this is an additional OpenWrt configuration listed here: Force All DNS Queries Through PiHole with OpenWRT

What still puzzles me is that when I am connected to my own WiFi (with Wireguard tunnel active or inactive) and, using Termux on Android, I run dig music.myserver.com, I get Cloudflare IPs in the ANSWER SECTION and 8.8.8.8#53 as DNS server.
On the other hand, if I run dig music.myserver.com @192.168.1.10, I do get my reverse proxy IP in the ANSWER SECTION and 192.168.1.10#53 as DNS server, which is the PiHole IP.

So I have the feeling the Android device is still somehow bypassing the PiHole and using its own hard-coded DNS, as the same dig music.myserver.com command used in several Linux machines in my network resolves the proxy IP and uses the PiHole as DNS server.
I've read something about DoH and DoT related to Android on OpenWrt forum, but this is getting beyond my abilities now...

Bucking_Horn · September 1, 2024, 11:59am

Terminal emulations on Android often ignore the network's DNS server, defaulting to Google DNS instead.

Though that demonstrates that apps (or really any software) can hard-code DNS, that should affect only Termux on your Android.
If you are generally seeing other DNS requests originating from your Androids in Pi-hole, then Termux could probably be iognored.

system · September 22, 2024, 11:59am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.