Local DNS and VPN issue

[Skruf]

Having a problem getting local DNS to work when using a VPN for only some devices. I'm trying to stop DNS leaking but when I stop it local DNS doesn't work.

I've got two local DNS servers on my LAN (192.168.1.6 and 192.168.1.8) that run Pi-Hole/Unbound/NSD. They are actually VMs on separate servers.

The VPN is only routing certain devices through the VPN, no routes/rules for anything to go through the WAN (reading I did said everything defaults to the WAN).

VPN has Accept DNS Configuration set to Exclusive and Policy Rules (Strict). WAN => Connect to DNS Server automatically is set to No. DNS Server1 and DNS Server2 are Cloudflare DNS servers. LAN => DHCP Server => DNS Server 1 & 2 left blank.

With the above the VPN works without leaking. However, putting the local DNS servers (above) into the LAN - DHCP Server slots local DNS (instead of being blank) works but the VPN leaks.

One interesting quirk with the working configuration is that if I change the Accept DNS Configuration to Strict, the VPN gets connected. However, the Service State shows a Local IP but no Public IP, it says Unknown. Internet is slow through the VPN but it works. VPN gets an IP (whatismyipaddress.com) from the provider but dnsleaktest.com shows the Cloudflare DNS servers. Move it back to Exclusive and Unknown is replaced with an IP and dnsleaktest.com shows a VPN provider IP.

Router is a RT-AC3100 and I just flashed it yesterday to 384.9 (was on 384.8_2) and reset it to factory then reconfigured it by hand hoping something might have been stuck but there's no difference.

I'm missing something... Thanks.

 

[Xentrk]

Having a problem getting local DNS to work when using a VPN for only some devices. I'm trying to stop DNS leaking but when I stop it local DNS doesn't work.

I've got two local DNS servers on my LAN (192.168.1.6 and 192.168.1.8) that run Pi-Hole/Unbound/NSD. They are actually VMs on separate servers.

The VPN is only routing certain devices through the VPN, no routes/rules for anything to go through the WAN (reading I did said everything defaults to the WAN).

VPN has Accept DNS Configuration set to Exclusive and Policy Rules (Strict). WAN => Connect to DNS Server automatically is set to No. DNS Server1 and DNS Server2 are Cloudflare DNS servers. LAN => DHCP Server => DNS Server 1 & 2 left blank.

With the above the VPN works without leaking. However, putting the local DNS servers (above) into the LAN - DHCP Server slots local DNS (instead of being blank) works but the VPN leaks.

One interesting quirk with the working configuration is that if I change the Accept DNS Configuration to Strict, the VPN gets connected. However, the Service State shows a Local IP but no Public IP, it says Unknown. Internet is slow through the VPN but it works. VPN gets an IP (whatismyipaddress.com) from the provider but dnsleaktest.com shows the Cloudflare DNS servers. Move it back to Exclusive and Unknown is replaced with an IP and dnsleaktest.com shows a VPN provider IP.

Router is a RT-AC3100 and I just flashed it yesterday to 384.9 (was on 384.8_2) and reset it to factory then reconfigured it by hand hoping something might have been stuck but there's no difference.

I'm missing something... Thanks.

I explain the behavior you are experiencing in this post.
https://www.snbforums.com/threads/r...-9-is-now-available.54843/page-22#post-467253

 

[Skruf]

Thanks for responding...

I had seen your post in one of my searches and found it quite useful and I did give it some thought as well. I'm wanting to stick with Pi-hole (Unbound/NSD) for now but that may change down the road. Thanks again.

 

[Skruf]

FWIW... In order to have things work with my setup I finally just created another VPN and have my DNS servers traffic going that way... That allows me to keep local DNS functional.

Accept DNS configuration is set to Disabled and I used an IP address for the VPN server instead of a hostname

So far I have seen no issues...