Question about custom upstream servers and prioritisation

Help
1

I'm new to pihole, home networking and self hosting so if my questions are a bit dumb, please bear with me. I'm still learning.

I'm currently running 2 pihole containers on Synology NAS and have found them to be fantastic.

I'm privacy conscious and had been using Quad9 as my upstream servers. I've recently decided to run NordVPN 24/7 via a wireguard client tunnel on my DD-WRT router and am playing around with my upstream servers. I have all DNS traffic routed through my piholes.

My questions are:

  1. In the pihole settings, if there are no upstream DNS servers selected and no custom upstream server IPs listed, does pihole default to any DNS server (ISP or otherwise) or is it unable to resolve the query?
  2. If I have NordVPNs DNS servers listed as my upstream servers before the Quad9 DNS server IPs, will the pihole always attempt to resolve DNS queries in the order that the servers are listed in and only move to the next if the previous one fails to resolve the query.

The reason I ask is because, I was also wondering if I could reliably leave Quad9's servers as secondary options in the event that the Nord Wireguard tunnel went down but that would only be used in the event the NordVPN DNS servers were unavailable.

Interestingly when I only had Nord VPNs DNS servers listed, and the Nord Wireguard tunnel was deactivated, I was still able to resolve DNS queries that weren't cached. DNSLeakTest showed DNS servers in Singapore (I'm in Australia). This might be a question for Nord support rather than here, just through I'd ask in case anyone had a similar experience.

Many thanks.

2

ad 1.:
In the absence of any upstream DNS server, Pi-hole will still serve blocked requests and locally defined names, but it will reply to any allowed public DNS requests with REFUSED.

ad 2.:
Pi-hole will prefer to use the fastest responding upstream DNS server, see also DNS resolver - Pi-hole documentation.

This may not been necessary if NordVPN's DNS servers are publically accessible, i.e. they would reply to DNS requests originating from public IP addresses outside of NordVPN's network.

If that would be the case, you could just use NordVPN's DNS servers.

In addition to your questions, you should note that most VPN providers would forcefully redirect DNS requests to their own DNS servers, in an attempt to prevent DNS leakages.
In your case, as your router's NordVPN client is acting as a gateway to NordVPN for your entire home network, that could mean that regardless of the upstreams you do configure in Pi-hole, it would effectively talk to NordVPN's DNS servers. This could trigger issues if you enable DNSSEC validation, e.g. when using unbound as Pi-hole's upstream.

You'd have to consult NordVPN's support for details about their DNS server handling.

3

Hi Bucking_Horn,

Many thanks for your comprehensive and detailed response to my questions. This makes it very clear.

I will take any further questions regarding NordVPN's DNS handling up with Nord's support team.

Much appreciated