So this all started quite simply. I use NordVPN (referred to just as a VPN here on out), and I have my pihole on my LAN. Of course, when I use the VPN it does not resolve to the pihole DNS, but goes to the VPN DNS. This is decent enough for security, but means I do not get the pihole benefits when I am on my VPN.
So, I would like to use my vpn while still getting the benefits of pihole. This is the point of this post.
I could just change my VPN settings to resolve to the pihole, 192.168.1.239, but this presents a new problem. This opens up a DNS leak, as the pihole is set to ping cloudflare or quad9 in the typical (presumebly unencrypted) fashion. What good is a VPN when there is a dns leak (answer: not much)?
So what am I supposed to do here? How can I use my VPN on my desktop with my pihole safely and securely?
I reached out to their customer service about this and there is no solution using their client. You need to find one of their server and use openVPN. That works great!
Edit: Full Tunnel for remote access (rarely needed), Split Tunnel for full-time blocking DNS. I have a very simple Tasker setup that manages switching between my split tunnel if I’m not on my home network.
Yes I could. BUT it is not that simple, and actually defeats the purpose.
A VPN is designed to route all traffic through its servers, THEN apply a DNS query for your client request. This DNS query is likely non-encrypted. Since, under normal use, all the information is re-encrypted by the VPN on the way back to the client, this isnt a big deal. But since the data on the pihole is going straight to a DNS server operated by the VPN, and not through the VPN server itself, it is still plaintext DNS information that is subject to MITM attacks
TLDR unless special stuff is applied, a DNS operated by a VPN is just as insecure as a regular DNS
Unfortunately, I have not had time to implement my solution. However, what I intend to do is this:
Have a VPN set on my DDWRT router. Therefore, when a device pings site A, it goes to my pihole. The pihole then pings its DNS, but this inquiry has to go through the ddwrt router and thus through the VPN on the router. Then it receives the request back, and connects to Site A. All of these requests are routed through my ddwrt router, and thus are sent over the VPN. Of course, for new sites this means the DNS ping is slow, so I intend to set up a recursive DNS resolver on my pihole later
Run OpenVPN on your router. Then DNSCrypt will 443 tunnel through your VPN tunnel. I don’t consider this leaking because your ISP isn’t known. You can also set up DNSCrypt to only use public resolves that do not loghttps://github.com/dnscrypt/dnscrypt-resolvers
People will argue fine details but any encryption is better than hitting a DNS server via port 53.
Also, I have to give Unbound a head nod. Nothing wrong with being your own resolver.
Edit…
I tunnel Pi-Hole DNS via DNSCrypt through my VPN provider and hit these servers as a second layer of ad blocking protection. The public resolvers see 443 traffic coming from my VPN provider. Nothing more nothing less.
This is no more secure, and considerably less private, than the setup I outline.
The public resolvers must be able to decrypt your requests. This isn’t magic. Because you’re using a full forwarding resolver, you’re giving them your entire resolution chain for a domain.
With a local recursive resolver, I’m only contacting root servers, DNSSEC secured. This secures against tampering of the request and no one but me ever gets the full chain of resolution. I don’t care who sees this as it’s only a single step in the chain. Each root server only gets a piece of the puzzle, I only care that the request is verifiably secured from tampering. Only I end up with the final result.
…and when I say I don’t log, I know I mean it. You do not have this guarantee.