PiHole and OpenVPN client 'Accept DNS Configuration' set to 'Exclusive' - DNS leak

[Skeptical.me]

I have an OpenVPN client connected to an ExpressVPN server. It is important for streaming to have the 2 devices that use that VPN connection to use the VPN's DNS servers. I have “Accept DNS Configuration” set to Exclusive on this OpenVPN Client.

2 days ago, I installed PiHole on a Raspberry Pi 4.

Currently, both devices using this VPN's connection are showing my ISP's DNS server is leaking.

Does putting the Raspberry Pi's (PiHole) LAN address as DNS into DHCP Server > DNS and WINS Server Setting > DNS Server 1 cause my ISP's DNS to leak?

If so, Is there a way to exclude these 2 devices in the Merlin UI from using PiHole so that those devices use the VPN's DNS?

 

[Skeptical.me]

I can't seem to find a solution to this unfortunately.

 

[dave14305]

In your post yesterday you showed a screenshot of the LAN DHCP Server page, where you put the PiHole IP as DNS 1. But you also left the “Advertise router’s IP…” option enabled, which would cause your WAN DNS servers to be used occasionally. Disable that.

You also mentioned Unbound is installed on the PiHole. Unbound can make it look like your ISP DNS is being used because your WAN IP is actually the DNS server being detected by leak tests, when Unbound is setup as a recursive resolver.

I don’t pretend to know how the OpenVPN client options change this behavior since I never used it. Just make sure you understand for sure what the leak test is telling you.

 

[Skeptical.me]

In your post yesterday you showed a screenshot of the LAN DHCP Server page, where you put the PiHole IP as DNS 1. But you also left the “Advertise router’s IP…” option enabled, which would cause your WAN DNS servers to be used occasionally. Disable that.

You also mentioned Unbound is installed on the PiHole. Unbound can make it look like your ISP DNS is being used because your WAN IP is actually the DNS server being detected by leak tests, when Unbound is setup as a recursive resolver.

I don’t pretend to know how the OpenVPN client options change this behavior since I never used it. Just make sure you understand for sure what the leak test is telling you.

Thanks for the reply.

I have uninstalled Unbound to see if it made any difference, and my DNS is showing on ipleak.net as Cloudflare which is what I chose as the "upstream" DNS server when setting up PiHole.

I've searched a lot on Google to find some suggestions but there doesn't appear to be a simple answer to my question. For now, I'll just have to use it this way or go back to using Diversion.

Edit: Some streaming apps work fine on the Apple TV for viewing US content, others, like Amazon Prime Video don't work without the use of the ExpressVPN IP and DNS. A workaround for that is to just use the ExpressVPN app on my iPhone and Airplay Amazon Prime video, it's not a big deal, to be honest.

 

[Skeptical.me]

In your post yesterday you showed a screenshot of the LAN DHCP Server page, where you put the PiHole IP as DNS 1. But you also left the “Advertise router’s IP…” option enabled, which would cause your WAN DNS servers to be used occasionally. Disable that.

You also mentioned Unbound is installed on the PiHole. Unbound can make it look like your ISP DNS is being used because your WAN IP is actually the DNS server being detected by leak tests, when Unbound is setup as a recursive resolver.

I don’t pretend to know how the OpenVPN client options change this behavior since I never used it. Just make sure you understand for sure what the leak test is telling you.

Good news.

I figured out a way to force the 2 devices to use the VPN's DNS and not the Raspberry Pi's LAN address as DNS. Obviously, PiHole no longer works with these two devices.

I don't understand why this works but it does.
I changed the iPhone's and Apple TV's DNS from "Automatic" to "Manual" and input Google's DNS 8.8.8.8 (I assume you can use any DNS address).

On the iPhone:

Wifi connection > Configure DNS > Manual > DNS Servers > Delete Raspberry Pi's LAN Address > Input 8.8.8.8 (for example).

Same on the Apple TV.

Now when I test for a DNS Leak I see ExpressVPN's DNS.

I also confirmed it is working by streaming Disney+ and Amazon Prime Video, which previously did not work due to the device's not using the VPN's DNS.