I thought I'd try running DNS requests from my LAN via a VPN on my Pihole for some added privacy.
So, I have my Pihole configured as a DHCP server. The Pihole box has a VPN running on it which puts outgoing requests through to VPN. So if I do this on the Pihole machine, or any machine on the LAN, it shows the external address as belonging to the VPN (where 192.168.0.3 is the LAN address of the Pihole):
dig +short myip.opendns.com @192.168.0.3
So far so good. I've also set the Upstream DNS Servers for the Pihole as "Google (ECS)".
However, if I go www.dnsleaktest.com on a client machine and try a test, it shows I'm using as resolver owned by Level 3 Communications and not Google as I expected.
Does anyone know how this other resolver is muscling in?
I note that I have the Pihole's "Interface listening behavior" set to "Listen only on interface enp6s0" which is the LAN interface. Is that significant? Should it be listening on all (including the VPN tun device)?
This might be due to the main router, taking over the DNS requests.
You can isolate that by trying the same test but with a nslookup when not connected via VPN.
See if the router is intercepting and forcing requests via port 53.
Yes it is as this, allows queries to be answered ONLY on requests originating from that interface.
As you suspected, the virtual tun0 interface DOES NOT go through Pi-hole.
Enable this first, test, and then troubleshoot (if needed) the first step (the router one)
Thanks! If I do this on a machine that's on the LAN (the only thing that's running through a VPN is the Pihole) I see this:
nslookup
> set type=ns
> google.com
Server: 192.168.0.3
Address: 192.168.0.3#53
So it appears to be using the Pihole (192.168.0.3) for the port 53 lookup - is that right?
The router situation is slightly complex. I have a UniFi wireless router to which all LAN devices are connected (there are a couple of wired ones too). The UniFi is connected to my ISP's broadband modem in passthrough mode acting purely as a gateway on 192.168.0.1 (and that's shown as the default when I do an ip route on the LAN).
However, if I look at the UniFi's config, I notice that it's set to use a gateway of 192.168.1.1. I don't know what machine that is, but I can ping it (and it's got port 53 open). It's not answering DNS requests though so I'll ignore that issue for now!
Enabling "listen on all interfaces" hasn't made any difference. The DNS leak test is still showing the wrong resolvers.
If you are not hosting your own VPN server (on the same device with Pi-hole or at least within the same network) you are at the mercy of your VPN provider's network settings.
Ah OK. I might be able to adjust the config at their end - or just run my own VPN server. I do have one in fact it's just not as reliable on the uptime.
Anyway - looks like the VPN is pushing DNS servers. Thanks for your help!