PIA and maybe pi-hole problems

[paddy-stone]

Having a weird problem. Just recently on my desktop, if I have PIA set to PIA DNS, it'll connect, but it won't resolve safelinking.net links either on browsers or jdownloader.

And also, if I set PIA's DNS to the pi-hole IP address, then it won't connect - well technically it's "connecting", but doesn't give me any connectivity or IP address. I only can connect if I set a public DNS address, or use PIA DNS.

 

For reference, other devices DNS settings set to pi-hole work fine, and also when not using PIA VPN on my desktop then DNS settings set to pi-hole works fine.

 

Any clue as to what could be wrong? I can't set up the DNS to be on the router, the ISP router has DNS settings disabled, which is why I am now setting up separately on devices themselves since my last router went wonky. Also, I still had this problem with the desktop, even with DNS server set on the router level.

 

Pi-hole is setup on my raspberry pi 4, and also has fail2ban installed.

 

Thanks for any ideas here.

[paddy-stone]

Ahh, also I guess I could turn off DHCP on the router, and get the pi to be the DHCP server, that would at least allow IOT devices to use the pi-hole. But I'd still have the problem with the desktop.

[2FA]

Not sure about that particular domain not resolving but changing your DNS to the Pihole will activate the DNS leak protection.

[paddy-stone]

1 minute ago, 2FA said:

Not sure about that particular domain not resolving but changing your DNS to the Pihole will activate the DNS leak protection.

 Yeah, sorry I forgot to mention that I turned off leak protection.

[Eigenvektor]

9 minutes ago, paddy-stone said:

Pi-hole is setup on my raspberry pi 4, and also has fail2ban installed.

Why? Unless you've opened ports to the internet, fail2ban isn't really needed. Your Pi-hole shouldn't be reachable from the Internet in any case.

 

By default VPN clients block all traffic that isn't routed through them. There should be an option to make an exception for your local network:
https://www.privateinternetaccess.com/helpdesk/kb/articles/i-cannot-access-devices-on-my-local-network

 

Without that it is probably blocking DNS requests to IPs on your local network (which is where the Pi-hole is, I presume)

[paddy-stone]

4 minutes ago, Eigenvektor said:

Why? Unless you've opened ports to the internet, fail2ban isn't really needed. Your Pi-hole shouldn't be reachable from the Internet in any case.

 

By default VPN clients block all traffic that isn't routed through them. There should be an option to make an exception for your local network:
https://www.privateinternetaccess.com/helpdesk/kb/articles/i-cannot-access-devices-on-my-local-network

 

Without that it is probably blocking DNS requests to IPs on your local network (which is where the Pi-hole is, I presume)

Yes, I already have "Allow LAN traffic" selected... I'm not having a problem with anything else to do with PIA, just setting it to pi-holes address, and resolving the safelinking.net domain.... guessing they blocked it on PIA DNS servers now as I never had a problem connecting until a week or 2 ago.

 

Yes I have ports open, because it also runs my VPN server... hence the fail2ban setup.

 

I have had PIA for years now, can access my local network fine etc, including my servers etc from my PC... the only thing I can't do as of around a week or 2 ago, is get the pi-hole to be the DNS server while using PIA.

 

[paddy-stone]

Oh, yeah forgot again sorry, PIA prog had an update a few days ago, which is when the problem connecting to pi-hole DNS server started IIRC... sorry I forgot to mention it, as it was around the same time that my router flaked out.... and was trying to sort out the 2 problems simultaneously.

@Eigenvektor @2FA

[Eigenvektor]

1 minute ago, paddy-stone said:

Oh, yeah forgot again sorry, PIA prog had an update a few days ago, which is when the problem connecting to pi-hole DNS server started IIRC... sorry I forgot to mention it, as it was around the same time that my router flaked out.... and was trying to sort out the 2 problems simultaneously.

Yeah, sounds like the update might have broken something.

 

In that case I'd probably use something like nmap to see if port 53 on the Pi shows up as open while you're connected with PIA. And also have a look at the logs on the Pi, to see whether e.g. fail2ban is blocking you for some reason (though your internal IP shouldn't change).

[paddy-stone]

1 minute ago, Eigenvektor said:

Yeah, sounds like the update might have broken something.

 

In that case I'd probably use something like nmap to see if port 53 on the Pi shows up as open while you're connected with PIA. And also have a look at the logs on the Pi, to see whether e.g. fail2ban is blocking you for some reason (though your internal IP shouldn't change).

I don't think fail2ban is blocking me, as I can still access the pi using ssh via putty, and no IPs are banned currently when I look up sshd.

 

Is that running nmap on the PC (windows) where I am using PIA, or running nmap on the pi?

 

Thanks for the suggestions.

 

[Eigenvektor]

6 minutes ago, paddy-stone said:

I don't think fail2ban is blocking me, as I can still access the pi using ssh via putty, and no IPs are banned currently when I look up sshd.

 

Is that running nmap on the PC (windows) where I am using PIA, or running nmap on the pi?

 

Thanks for the suggestions.

Hm, ok so that means PIA shouldn't be blocking you from accessing it in general, just DNS for some reason. Any chance the update reset the DNS leak protection setting (or the update broke the setting)?

 

On your PC, something like "nmap -P0 -p 53 <ip>", where "ip" is the Pi's IP address. Ideally the port should come back as open. Is there a log for PIA that would show it e.g. that attempt by nmap was being blocked as a leak?

[paddy-stone]

7 minutes ago, Eigenvektor said:

Hm, ok so that means PIA shouldn't be blocking you from accessing it in general, just DNS for some reason. Any chance the update reset the DNS leak protection setting (or the update broke the setting)?

 

On your PC, something like "nmap -P0 -p 53 <ip>", where "ip" is the Pi's IP address. Ideally the port should come back as open.

 

Yep, came back as open

 

 

Well, wouldn't you know it, I just changed the settings from openvpn, to wireguard, and can now the raspberrypi can be the DNS server fine... it's returning DNS queries fine.

I tried safelinking.net again, and still wasn't resolving, so added safelinking.net to the whitelist and is now going through OK.

 

Thanks for the help.. I'm guessing it must have been an openvpn bug then if switching to wireguard fixed the problem with not allowing the pi-holes DNS server.

Anyway, I am happy now, all is as it should eb again