openVPN client receive DNS on connection, but pi-hole doesn't use it
On my pi-hole installation I connect as a client to a VPN and receive DNS records (push "dhcp-option DNS 10.66.0.5") but it doesn't seems to affect the pi-hole behavior. How does it choose which DNS to use? Is it possible to address only some domain queries to a specific DNS
(like: all query for *.local-domain-from-vpn.lan to the DNS server received from openvpn)?
I'd like to use the pushed dns only for local query not for every dns query on my network.
Details about my system:
I'm running Debian 12 on my raspi5 with pi-hole installed:
You could either use 10.66.0.5 as your Pi-hole's only upstream, or enable Conditional Forwarding to that IP for a specific local domain and IP address range.
Both options are accessible via Settings|DNS.
But technically, if you'd use Conditional Forwarding, you would leak DNS requests to Pi-hole's upstreams, which may compromise your intentions of using a VPN.
So what's the purpose of that OpenVPN client?
Thanks for te quick response, I'm using the VPN to get access to remote computers as if they were in LAN.
The remote network has an internal DNS to resolve computer names into IPs.
Your first suggestion can't be used as the VPN might go down and then I wouldn't be able to resolve dns query, but Conditional Forwarding might be the solution I was looking for.
I don't understand what you mean by leak requests... to who?
I looked for Conditional Forwarding in the doc but couldn't understand how it works, can you point me to the right direction? (Does it forward to another dns? In the description talks about dhcp server but doesn't mention dns)
That's why I asked for your OpenVPN client purpose.
If your OpenVPN would have connected you to a VPN service provider, then you would have wanted DNS requests to go through that VPN as well (most VPN providers would even have their client software forcing DNS requests through their VPN). Otherwise, not only would your DNS requests go to some potentially untrusted party, but they would also reveal your real IP address.
In your scenario of safely connecting to a remote network, DNS leaks are not a concern.
As for Conditional Forwarding, just put in your VPN's private IP range as Local Network, your VPN's local domain as Local domain name and your VPN DNS server IP under IP address of your DHCP server.
Thanks, that conditional forwarding was exactly what I was looking for but it is limited to one subnet/local domain, I already found a solution by editing conf files but was looking for a canonical way to set this up. In the end I've tried your suggestion and found out that what Conditional Forwarding was exactly add the same directives (plus one that I didn't thought about reverse lookup).
So in the end that's what I did:
added a file in /etc/dnsmasq.d/ called 07-dnsbydomain.conf with inside the following content:
# directives to force upstream dns per specific domains
rev-server=10.66.0.0/24,10.66.0.5
server=/mylocaldomain.lan/10.66.0.5
rev-server=10.68.0.0/24,10.68.0.254
server=/myotherlocaldomain.lan/10.68.0.254
server=/myotherlocaldomain.internal/10.68.0.254
this way I could specify all my custom dns for specific domains and I should be safe from pihole updates overwriting my edits, right?
