Privacy using a VPN with Pi-hole+Unbound

Sorry to hijack this old thread but I have a related question:

I'm using Mullvad VPN, Unbound DNS and a Pi-hole. All my devices query Pi-hole, Pi-hole queries Unbound and all is good. My router is connected to Mullvad VPN permanently, so all devices are "protected" by a VPN.

Now, when running the connection check at https://mullvad.net/en/check, I receive a warning about DNS leaks. It shows me the Mullvad VPN IP I'm using on the left, but for the DNS it shows my real, ISP-provided IP (which makes sense, because I'm running Unbound there and the Pi-hole queries Unbound).

My question is: am I compromising my privacy (by disclosing my real IP while using a VPN even though it's "just" as a DNS server) and if so, how would I prevent that?

I'm not sure I can answer your question but I do find it interesting. I've set up my Wifi / router with DD-WRT and am exploring setting up ProtonVPN on it in a similar fashion. I also run unbound.

I would expect unbound to use the tunnel that Mullvad created and not just bypass it. Do you have IPV6 enabled? Perhaps thats causing the leak?

Edited: I found this old reddit thread talking about this specifically for Mullvad. Its a few years old but might be of interest.

https://www.reddit.com/r/pihole/comments/p1elx8/dnsleak_question_with_vpn_and_unbound/

Thanks! From the reddit link's link to https://dnsleaktest.com/ the standard test returns the VPN IP address, but the extended test also returns the real address. I have set up query forwarding in Unbound in OPNsense now to the system nameservers (now there's a leak that returns Quad9 but that's fine) but I wonder if I would need unbound at all now (I could add Quad9 in Pi-hole after all).

I use unbound recursively and not in forwarded mode ( to a resolver, which is not its intended purpose I believe ) so there is no middle man. My goal was to elimate that step. I'm not sure if there is a benefit to unbound as a forwarder to something like quad9 vs just using pihole as a forwarder to quad9.

When you're using a VPN you want all traffic – including your DNS traffic – to go out via the VPN so that it can encapsulate everything and keep you secure (to the degree that you trust the VPN provider).

If the VPN software isn't fully aligned with how your OS works, or if it's just poorly set up, it's possible for DNS requests to continue to go directly out to your chosen DNS server, such as Google's or your ISP's, without using the VPN.

That's the so-called DNS leak; it's a leak in the sense that your DNS lookups contain all the domains you're accessing and those lookups are coming directly from your IP, not from your VPN provider's IP.

However in your case that DNS server is your own instance of Unbound, so you are only "leaking" to yourself, not Google or your ISP. Running Unbound in recursive mode means that you are doing lookups on different authoritative servers and there is no single server that has all your lookups.

There is a theoretical risk – the final server contacted by your Unbound will be the authoritative server for the domain whose service you want to access. And then you will access that domain over the VPN. If the administrators of that service also control the DNS for that service, technically they could see a connection to their DNS server from your real IP, followed by a connection to the just-looked-up domain coming from your VPN, and use that to link your real IP to your usage of that particular VPN.

I say theoretical because it doesn't really pass the "so what" test, ie, what can someone do with that information? All it gives is the information "this IP uses this VPN provider". It doesn't tell them anything about other domains you access (they are looked up on those domains' authoritative name servers), no-one has access to a full list (because you're not using Google, Cloudflare, ISP DNS, etc) and they'd have to be watching or searching logs for connections to their DNS and services to even notice. And this is all just for one single domain.

So I'd say that you're okay and not compromising privacy. In fact I'd trust Unbound in recursive mode more than I trust any VPN provider's service, since once again you'd be handing a single entity all your domains to look up.

1 Like

Out of curiousity:

Since you are running your VPN client on your router, your router effectively becomes a VPN gateway for your network.

In such a scenario, I'd have expected the VPN client to forcefully redirect DNS requests to its own DNS server, in an attempt to prevent DNS leaks.

unbound's recursion would then always fail, as it would talk to the VPN's DNS servers instead of the authoritative DNS servers, and thus DNSSEC validation would reject any replies.

This would suggest that either you've configured your VPN client for custom DNS (if that's actually supported by the VPN client at all), or your router is steering DNS requests outside of your VPN connection, or perhaps it exempts the Pi-hole host machine from using your VPN?