VPR - Pi-Hole - DNS Question

ash32152 · October 25, 2021, 10:05am

Hi All!

I'm back with another question, not entirely sure if it's possible, but it's the last thing I'm trying to get working and can't figure out how I can make it work...

Essentially I now have VPR working how I'd like thanks to help here, [certain devices] = WAN [192.168.1.0/24] subnet = VPN. - Last rule.

The conundrum I face now, here is my local setup

192.168.1.1 - Router (Openwrt/Openvpn)
192.168.1.30 - PiHole - DHCP (192.168.1.100-200) - range - DNS 192.168.1.30 GW 192.168.1.1

The split tunnel works great, I'm trying to figure out if I can make DNS requests from a device routed towards WAN, use cloudflare/ISP whatever external DNS

And any device routed through the VPN request via VPN DNS - But still through the PiHole firstly.

I have a feeling it's complicated due to my setup, as if I put the Pi-Hole through VPN, obviously all DNS requests are from the VPN provider, although if VPR goes into strict, those not forced through the tunnel won't be able to query

And if I route it through the WAN, all DNS requests go via whichever external I set but not the VPN even for devices routed through there.. I guess this is because it's the .1.30 making the request at that point.

I tried adding the PI at top order with an IGNORE thinking with no interface set it might tunnel whichever the device is going, but this didn't seem to work.

Is it do-able keeping the PiHole as internal DNS? I've seen I can use DHCP on the router and selectively use DNS per-device, although if possible I'd like to keep all traffic requests through PiHole, but then respect external DNS by which tunnel the device is going.

Any help would be greatly appreciated again

darksky · October 25, 2021, 10:20am

I don't know, just posting to suggest that you might want to ask on the pi-hole discourse as well.

ash32152 · October 25, 2021, 10:58am

Cheers, yeah I have posted something along that way, as wasn't sure where it was suited best, realise it may be more Pi config tbh... just thought I'd shoot here if someone else ran into the same thing and found a way round it using router DHCP and forwarder from PI or something and managed to route that way

ash32152 · October 26, 2021, 11:12am

Did some more playing last night, decided to take PI out the question (might utilize the Luci ad block )

The issue now, is I still seem to get DNS either all VPN or no VPN

I set DNS on phone that IS routed through VPNTUN to 192.168.1.1 (router) and DNS was routed through VPN.

I set static DNS on my laptop - NOT routed through VPN but WAN and it still got the VPN DNS, but correct IP...

I have set peerdns off on WAN and a custom 8.8.8.8.. If I turn peerDNS on and set a custom DNS on the TUN interface, it all just routes out through WAN.

Is this by design or am I missing something? Reason I need not to resolve against VPN for all is due to Netflix etc. block by DNS as well as source IP.

Ideally I'd like to keep DHCP DNS at 192.168.1.1 to utilize the Luci Ad blocker and the DNS respect the TUN DNS or the WAN, whichever the traffics routed through... or even better Pi (But I don't think that's do-able)

trendy · October 26, 2021, 11:24am

One solution is to separate your lan into 2 individual networks, one will use the pihole as DNS and egress via VPN. The other can use OpenWrt or any public DNS and egress through wan.
If you strictly want all the devices in the same network, you'll have to advertise custom nameserver for each device. For example if the default setting is to advertise the Pihole as nameserver, then add a tag to advertise OpenWrt as nameserver for the devices which will egress via wan.

ash32152 · October 27, 2021, 8:18am

Thanks for the response and suggestions Trendy, it's much appreciated!

The only pitfall I have is I need certain domains in VPR/User files routed through WAN with WAN DNS, regardless that they're specified VPN interface (as custom user will have higher priority) which if I do two LAN segments, it will negate the VPR I'd of thought.

Annoying but I'm at peace that I don't think it's going to be that easy.

I just wanted, if device = VPN go VPN/VPN DNS - IF Domain name policy via WAN which is higher is requested by device that is VPN further down, go WAN with WAN DNS

trendy · October 27, 2021, 10:11am

The only way to achieve that is with selective dns, if you advertise to all hosts the same nameserver and let that device which upstream nameserver to query based on the domain.

vgaetera · October 27, 2021, 10:52am

You can also configure multiple dnsmasq instances running on separate subnets/ports.
Each instance can forward to different resolvers, optionally with selective DNS forwarding.

system · November 6, 2021, 10:53am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.