I though I could make those work together but I am stuck somewhere. On a Raspberry running DietPi, I’ve installed Pi-hole with unbound and NordVPN. I discovered that when NordVPN is connected, I can’t even dig other DNS server inside and outside my lan (I have another Raspberry running Pi-hole + unbound properly).
So I partially solved it by running:
nordvpn set firewall disable
I say partially because after that, I can dig any DNS server, except the unbound running on the localhost. When dig is not working, I receive a SERVFAIL and if I sniff the traffic I see a lot of rows like this:
nordlynx Out IP 10.5.0.2.5493 > d.gtld-servers.net.domain: 1238% [1au] A? Www.tEST.CoM. (41) nordlynx In IP d.gtld-servers.net.domain > 10.5.0.2.5493: 1238 Refused 0/0/1 (41)
yes, the intention was to use NordVPN as a gateway. It works if I use a recursive DNS in the Pi-hole configuration, and the NordVPN even allows me to set a custom DNS, but it seems indeed that the problem is somehow related to the unbound use of authoritative DNS via the VPN tunnel.
An alternative configuration I would had considered was to keep unbound querying out of the VPN tunnel for the devices on my lan and have the installed application on the Raspberry to use NordVPN but I don’t know if it would be possible.
So I am now trying to find a way to route Unbound traffic out of the tunnel, trying namespaces, virtual interfaces and so on, but so far I’ve been unable to accomplish nothing.
Any validating recursive DNS resolver will discard a DNS reply when it detects that a reply was not served by the authoritative DNS server it intended to talk to.
They won't work when DNS is always redirected to specific DNS servers (which is common with VPN service providers).
If you'd succeed, you would leak DNS requests.
Depending on your intentions for contracting a VPN service, this may defeat your purposes, e.g. you'd potentially expose your network's topological location (which is among the reasons why VPN service providers forcefully redirect DNS requests to their own DNS servers).
EDIT: And in general, you wouldn't want DNS requests to leak outside your VPN tunnel when you use a VPN service provider.
Understood, thank you. My intention were to use the VPN system wide on the Raspberry for the installed services, but leaving the Pi-hole + Unbound working outside the VPN to serve other devices on the lan that doesn’t need a VPN connection. This is because I’ve actually 2 Raspberries and one of this is in use only for the Pi-hole, so I wanted to merge the two.
