What's new

Pihole + Unbound + VPN SERVFAIL

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Drihha

New Around Here
Unfortunately I‘m facing problems with the combination of pihole, unbound and VPN.

Pihole‘s IP ist set under LAN -> DHCP Server -> DNS & WINS
Forthermore Pihole is set in DNSFilter as Router
I‘ve configured pihole to use unbound for resolving (127.0.0.1)
I‘m using VPN director to put selective devices into the VPN tunel

Everything works fine as long as pihole ist outside of the VPN tunel. But if it‘s outside the VPN tunel I get a DNS leak when I check on dnsleak.com. When i try to put the pihole into the von tunel (through routing policy) I see servfail in the pihole log. This problem disappears when I use external dns for resolving (either in pihole configuration or via forward zone in unbound config)

Has someone faced such problems and maybe can help me out? I don‘t want to use external/public DNS server.

Many thanks in advance.
 
My current unbound conf is as follows:

server:
# If no logfile is specified, syslog is used
# logfile: "/var/log/unbound/unbound.log"
verbosity: 0

interface: 127.0.0.1
port: 5335
do-ip4: yes
do-udp: yes
do-tcp: yes

# May be set to yes if you have IPv6 connectivity
do-ip6: no

# You want to leave this to no unless you have *native* IPv6. With 6to4 and
# Terredo tunnels your web browser should favor IPv4 for the same reasons
prefer-ip6: no

# Use this only when you downloaded the list of primary root servers!
# If you use the default dns-root-data package, unbound will find it automatically
#root-hints: "/var/lib/unbound/root.hints"
# Trust glue only if it is within the server's authority
harden-glue: yes

# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped: yes

# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no


# Reduce EDNS reassembly buffer size.
# Suggested by the unbound man page to reduce fragmentation reassembly problems
edns-buffer-size: 1472

# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes

# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
num-threads: 1

# Ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf: 1m

# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10

access-control: 127.0.0.0/24 allow

tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt

forward-zone:

name: "."
forward-tls-upstream: yes
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com
 
Last edited:

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top