I have PiHole set-up on a rpi4 with unbound as upstream DNS (PiHole also acts as the DHCP server). VPN connection home is done mainly with OpenVPN, but I tried also Wireguard to see if I can shake this issue. PiHole DNS is pushed newtork wide, not only on some devices.
My desktop computer does not have any DNS leak, all works as expected. My girlfriends android phone same, PiHole takes care of all her DNS requests , either when phone is connected to Wi-Fi or LTE with VPN enabled. NO LEAK - Phone Huawei P30 Lite with Android 10
My phone on the other hand is the devil impersonated (Huawei Mate 20 Pro with Android 10). It doesn’t follow the DNS set, either on Wi-Fi or LTE with VPN. I managed to fix the DNS leak when phone is on Wi-Fi by blocking all DNS connections going out from my network except the PiHole IP . On LTE with VPN, it DNS leaks to Google servers, don’t get it why. Tried all hardening tricks (for OpenVPN and Wireguard) I could find so I could force the desired DNS to the phone while under VPN, nothing succeeded. Only thing that is making the phone access the intended DNS IP is by replacing the DNS all together with NextDNS , setting the DoH hostname in “Private DNS” under Android settings.
I want PiHole to take care of my DNS requests wherever I am…how can I do that ? I don’t want to trust “3rd party” DNS providers with my requests.
It’s impossible to have a DNS leak when you’re not using a secure transmission pathway
Is Android Private DNS and/or Chrome → Privacy and security → Use secure DNS set to Automatic/Use your current service provider respectively?
Android Private DNS in the automatic configuration will attempt to use DoTLS if the current connection can facilitate it. The same is true for the default pathway in Chrome.
welcome to the world of “I will always try to find a way to steal your data.”
cough google.
I use adguard VPN. It is a vpn to the device itself(phone > vpn on phone > phone). this allows me to block it. additionally, you can use this in tandem with the adblock browser to block youtube ads.
Edit: There may be a misconception that people think I am telling them they should use the same solution as me, I am not. Saying “you can” is not the same as " you should." Did no one else grow up around anyone who responded with the “i DoN’t KnOw, cAN yOu?” type of response?
how did you set up openvpn/wireguard, I have always used pivpn, then I have 2 configs on each client one with allowed ips 0.0.0.0/0 for full tunnel and one for dns only with the dns ip only in allowed ips.
I have turned this to Off, but nevertheless, it still reaches out to Google DNS servers. Using Android app “Network Analyzer” it shows me that the DNS is set to the one I want under the VPN, but when running DNS leak tests, Google servers reply (more than 30 of them). I disabled all Google services which I’m not using: Google, Google 1, Chrome. I’m using Firefox Nightly as main browser
I installed Google 1 some time ago, to check it out. Now it’s uninstalled, as Chrome, Google and few other Google services I’m not using. Private DNS is set to Off in the settings, but same behavior, Google DNS replies to my queries, even though another DNS IP is set under VPN
Automatic Secure DNS should be the default in even vaguely current Chrome for everyone for a while now. It will only attempt to use secure transmission if the currently configured connection can tolerate it. This is perhaps not necessarily obvious, but the upshot is it’s not directing queries to anywhere they wouldn’t otherwise be going.
For Android Private DNS the setting may either reflect ‘Opportunistic’ or ‘Automatic’ (depending on the age of the build, same feature, different verbiage), which will behave similarly, and will only use the currently configured connection path to discover DoTLS support and use it if it can.
I’m not aware of any OEM that’s supplying a static endpoint for APDNS as the default configuration and any that are should be very rightly slapped for it.
I found a similar solution for this, NextDNS. It allows me to set-up custom DNS records(useful for local running services) , add block lists, etc. And it’s working, I don’t see any Google resolvers anymore. Paired with VPN to my home, and that’s it. But I have to trust NextDNS with my queries… This is why I’m looking for a solution to have everything managed by my PiHole setup.
I reconfigured pi multiple times, trying to see if something will work. Nothing did. During PiHole last installation (and the current active set-up) I set eth0 as the main interface, and the setting in the GUI is now set to Listen to all devices. Manually, from the phone under the VPN , with Network Analyzer app I can send as many DNS requests as I want to the PiHole IP and all will get answered
I found a similar issue with my Chromecast Audio/ChromecastUltra & Google mini devices.
I have a nice secure, multi vlan’d network evrything is locked down with firewall rules between vlans.
UDM-Pro security gateway gives out DHCP to all networks, ALL network/vlans get the Pihole (also running unbound in recursive mode) as their DNS server 1,2,3 & 4
there is no DNS leaks when testing, and all devices work just fine, is a great setup… however the sneaky sneaky sneaky google devices, totally ignore the provided DNS server and are hardcoded to use their own 8.8.8.8 & 8.8.4.4
so the solution to this (to get the sneaky google devices to use the pihole for dns)
or the better way is set a static route for those ip’s with the next hop being your pi.
as soon as you do that bingo, youll see your devices show up in your pi query logs.
as im running unbound (and being my own recirsive server) ive got static routes for all the major DNS services ip’s routed to my pihole (just in case a sneaky device in future tried to use hardcoded DNS) - also serves the purpose that if ANYONE tried to bypass the pihole by using a public dns server, they actually get routed through the pihole silently
In all my years of third party Android development in application and operating system spaces, I have never seen more than four configured DNS paths on a device. Even three is wildly uncommon and pretty much only seen in OnePlus devices. It should also only be using them as supplements to the user or DHCP configuration as well (for example if you had one or less DNS endpoints configured, manually or otherwise - though this behaviour is not uniform - most devices will just completely lose resolution capabilities if no DNS endpoints are set manually or broadcast via DHCP).
Is this behaviour repeatable with other DNS leak tests? Or is it only a specific service claiming this, if so, which?
I have your target device in my clammy wee hands currently, and it’s a cold, rainy Friday afternoon where I’ve not much else better to do. I would like to attempt to replicate and examine this behaviour.
My PiHole set-up is not using either DoT or DoH, it’s regular DNS resolver under the VPN network. So the phone doesn’t like that this connection, still under VPN, it’s not encrypted and it forces DoH/DoT? Last resource it’s a factory reset, not sure if it will help but so far , it’s the only thing I haven’t tried.
Take your gf config to your phone and your config to her phone and see if problem stays on phone just to double check the configs, what phone is it, also is there anything funky going on with ipv6 that could cause it