Pihole V6 with Unbound - NordVPN

Hi all

I've got two Raspberry Pi's running Bookworm with Pihole (latest V6) running + GravSync and Unbound in Recursive mode.

I've introduced NordVPN 'dial out' profiles to my Draytek Router. My question is - if I point my internal devices (say a laptop, iPhone etc) to my VPN dial out connection via NordVPN, am I asking for trouble if the internal devices are using Pihole + Unbound as the DNS servers? Will recursive DNS continue to work?

Same applies if I set NordVPN as the 'default route' so all LAN devices are forced to go out over the VPN....will Pihole and Unbound continue to work or am I best using a different DNS for my VPN Clients?

It really comes down to how your VPN handles DNS/routing. I don't use Nord, but sometimes VPN providers have their own DNS servers. If you have an option to split tunnel - eg: exclude certain subnets from the VPN tunnel, you should exclude your local LAN subnet from the VPN.

hi

I think Nord provide their own DNS servers but I can’t find anyway to exclude subnets from the VPN connection….easy enough with a dial in profile like WireGuard but dial out profiles on the Draytek router don’t seem to have the option to exclude ranges.

Do you have the option to use WireGuard? It's probably the best VPN protocol out there.

Hi Ladrien. I use WireGuard to tunnel back into my network but Nord tell me they don’t support the protocol yet (via Router setup). They use their own version called Nordlynx but that’s via their official app, not a router setup

How would you point an internal device to use NordVPN (presumably for all its public outbound traffic)?
How would that device be configured to keep using Pi-hole for DNS?

And how would that differ from your second scenario with NordVPN as a default route?

Hi Bucking_Horn

Well the way I have the Draytek configured is my devices pick up the pihole DNS from the Draytek's DHCP pool - DNS/pihole being 10.7.0.xxx

As for pointing the devices to Nord...I've got two configurations. The first is via route policies in which I set up individual device profiles based on the IP of the device and then I point it to the active NordVPN connection so the individual device connects to Nord that way.

The second configuration is via setting a VPN as the default route so all devices tunnel through it, I guess?

I just wasn't sure if unbound in recursive mode would work with an encrypted connection, that being NordVPN.

VPN traffic is unencrypted upon egress at the end node. From there you have to rely on conventional methods of encrypting traffic. eg: DoH, DoT. Functionally, Unbound should have no issues running over a VPN to my knowledge.

Going with the default route method would almost certainly break your WireGuard client connection. I think the best way to do it would be through the device profiles. If your router is smart enough to only send traffic through the VPN if it will be exiting through the WAN link, DNS resolution should still work via Unbound.

Hi Ladrien

Yeah the Draytek Vigor 2927 which is what I have does VPN route/device profiles. This does work as I’ve put my laptop through a profile via a NordVPN connection and when I did a ‘WhatismyIP’ it was using the IP of say, France (I’m UK based). The only issue is the a DNS Leak returns my WAN ISP IP, but that’s by design since unbound is recursive I guess?

Default route policy. I tried that as well. It’s very hit and miss. The NordVPN connection struggles with name resolution if I point a local device to my pihole/unbound local DNS. If I point it to say cloudflare it works fine.

In all likelihood, recursive resolution won't work if you route your Pi-hole's traffic through a VPN.

Most VPN services would forcefully redirect DNS traffic to their own DNS servers, in an attempt to prevent DNS leakages.
But this would also prevent validating recursive resolvers like unbound from talking to actual authoritative name servers, resulting in DNSSEC validation failures for DNS requests.

It would depend on NordVPN whether DNS redirection would happen in their dedicated client software (in which case your router would profile may not be affected) or in their server infrastructure (in which case any DNS requests processed by NordVPN would be forced to their own servers, and a validating recursive resolver won't work).
You probably should consult NordVPN's support for further details, and whether and how that would be configurable on their end.

If you try to work around this by exempting Pi-hole's DNS traffic from being routed via your VPN, you should be aware that you'd leak those DNS requests outside of your VPN.

I am with @Bucking_Horn here in saying that your VPN provider is redirecting/blocking DNS queries from Unbound.

If DNS resolution on the VPN via pi-hole works when cloudflare is the upstream, that may be the better option. In terms of privacy, using a VPN with cloudflare as the upstream is similar to using non-VPN with Unbound.

You do have to weigh the pros and cons though. VPN providers are never at 100% uptime, and DNS requires 100% uptime.

@Bucking_Horn @Ladrien - thanks both, your input is appreciated.

I'm not massively 'up' on these things but I did think that using Unbound with Nord would create some issues.

Basically, where I'm at with it is as follows (correct me if I'm wrong):

If I force a LAN device through a VPN route policy with my IP set to my local Pihole/Unbound DNS it works through the VPN but DNS leak tests report my ISP IP as the name server, which I know is correct - is this technically a DNS leak?

Default Route for all outbound VPN traffic - if I use Pihole with Unbound everything struggles to resolve correctly. Some websites are hit and miss but apps on my iPhone for example like ebay completely fail to load.

What I've done is temporarily 'turned off' unbound on my piholes and just checked the Cloudflare DNS upstream boxes.....my plan tomorrow is to forward all traffic outbound again via a default VPN route - my guess is that it should work without issue as the default VPN connection will use Cloudflare for name resolution and not the recursive model that Unbound adopts?

@Ladrien - yeah so I temporarily forwarded queries from my Pihole to the Cloudflare DNS upstream servers rather than Unbound/recursive mode and 'default route' for the NordVPN connection worked flawlessly - I can browse the web, name resolution works and all my iPhone apps work going through the VPN tunnel.

Is there a solution to using Unbound with a VPN? Or is a case of all or nothing? I read something about using Unbound as a forwarder via DoH or DoT? but does that defeat the purpose of Unbound?

Glad to hear you got it to work.

It really depends on how they block the DNS queries. If they block all traffic intended for the DNS root servers (this is my guess), then encrypting with DoH or DoT won't do anything for you.

I suppose the sensible solution is to ask them direct. Thanks

As you are using NordVPN: Yes.
If you use a VPN service provider, a third party would only be able to observe that you send and receive encrypted traffic to your VPN provider's servers.

If you exempt DNS from that traffic, a third party would be able to observe which domains you resolve - something you absolutely want to avoid when connecting to public networks.

But whether you use encryption or not:
The public DNS resolver processing your DNS requests has your DNS history.
In case of a VPN forcefully redirecting DNS to your VPN provider's DNS servers, that would be your VPN provider.

The relevant question is:
Does it defeat your purpose?
What are your preferences with regards to confidentiality, authenticity, integrity and privacy of your DNS traffic?

If you use unbound as a validating recursive resolver, no public DNS resolver has your DNS history, and DNSSEC validation guarantees authenticity and integrity of DNS replies of authoritative servers supporting DNSSEC - but your DNS requests are not confidential, as third parties can observe your DNS traffic. Confidentiality is particularly relevant when connecting to public networks, but not a major concern in your home network.

If you use a DoH/DoT forwarder instead, DNS traffic would be encrypted, so third parties can't observe your DNS traffic - but you'll entrust your chosen public DoH/DoT DNS resolver's with your DNS history, and by itself, DoT/DoH cannot check for authenticity and integrity of DNS replies (DNS root servers currently do not support encryption).

However, when using a VPN service provider, your entire traffic (including DNS) would already be encrypted, i.e. you are already protected against third party eavesdropping.

DoH/DoT would be useful to provide confidentiality of DNS requests for roaming equipment like a smartphone or laptop when connected to public networks, like a cafe's, hotel's or airport's wifi.
In a similar fashion, using NordVPN on a laptop would provide confidentiality of all traffic, not just DNS.

For your own home network with secured wifi access, running unbound as a validating recursive resolver would check authenticity and integrity of DNS replies, without you having to entrust a public DNS resolver with your DNS history.

(I personally do not use DoT/DoH - instead, I run a VPN server in my home network, so my roaming devices send their DNS traffic via an encrypted connection to my Pi-hole / unbound at home.)

Your choice comes down to what you want to achieve.
Beyond a VPN service providers obvious benefit of offering confidentiality in public networks, you may have opted to use NordVPN for geolocating purposes, or for an extra bit of online privacy.

Whatever your reason for routing your home network's traffic through NordVPN, you should be willing to entrust NordVPN with your public DNS history.

If you do that, you may remove unbound from your home network and point Pi-hole to NordVPN's DNS servers, with your router enforcing NordVPN's dial out profile for all connections.

If you don't, you could decide to just use NordVPN on your roaming devices when not at home, while keeping unbound for your home network.

@Bucking_Horn Thank you for the detailed explanation!

Tbh I'm at a bit of an impasse with it all now and I'm unsure of what to do for the best.

My home network is VLAN'ed and everything runs through the 2 x Piholes via Unbound Rescursive DNS. I now understand that using Unbound for clients that don't utilise a VPN, in my case NordVPN will be fine but using NordVPN poses a problem for the clients due to DNS leaks and the fact that Unbound/web browsing resolution simply won't work properly with a VPN 'default route' connection.

I was thinking about using individual routes (Draytek call them Load-Balance/Route Policies) in which I can send individual clients and devices out over the VPN, rather than one default route which would cover the entire network. So I'm wondering if there is a way to 'force' a client to use the third Pihole that I have running which doesn't utilise Unbound (just Cloudflare for upstream) for VPN connections only.

I'm not sure if I've mentioned this but I do have Wireguard setup for inbound VPN connections - I use this to tunnel into my network and that works fine.

Thanks for all your help.

If your network is VLAN'd, you may be able to get away with adjusting DHCP settings for a VLAN to make clients go over the VPN. Essentially a VPN-VLAN if you will.