VPN and DNS Interactions?

[Zaproid]

Hello,

I am fairly new to networking and am struggling to understand exactly how VPNs and DNS interact.

 

I am currently running Mullvad VPN from my computer. I want to set up a PiHole for my entire network.

From my understanding I will be changing my router's DNS to be the PiHole so it can function as a DNS-level adblocker. My understanding of the VPN is that through using the VPN provider's DNS my ISP does not see my queries and my traffic is encrypted. If I wanted to use both my VPN and a PiHole I can manually change the DNS for the VPN to be my PiHole DNS.

 

My confusion then arises from how the VPN would interact with the PiHole as my DNS.

Will the VPN encrypt my traffic after the PiHole DNS as it travels to other upstream DNS and eventually wherever I am trying to reach?

Or will my VPN now be worthless as my traffic would not be encrypted and my ISP and all other upstream DNS would see it?

[Electronics Wizardy]

why not test it? do a dns hit and see if the pi hole sees it.

 

THis depends on how the vpn is configured

[Zaproid]

I do not have the PiHole set up yet actually. I was trying to gather information first beforehand but if it depends on the VPN configuration I'll run with it then.

What exactly do you mean by a dns hit?

If I just search something with the VPN DNS being the PiHole how would that show me if it is encrypted while traveling post PiHole?

[Electronics Wizardy]

3 minutes ago, Zaproid said:

I do not have the PiHole set up yet actually. I was trying to gather information first beforehand but if it depends on the VPN configuration I'll run with it then.

What exactly do you mean by a dns hit?

If I just search something with the VPN DNS being the PiHole how would that show me if it is encrypted while traveling post PiHole?

If your sending DNS requests to the pi-hole, it will work like any other dns hit.

 

What is your goal with the VPN, normally if you don't put dns requests over a vpn you can see a good amount about what is going on.

 

 

[Zaproid]

1 hour ago, Electronics Wizardy said:

If your sending DNS requests to the pi-hole, it will work like any other dns hit.

 

What is your goal with the VPN, normally if you don't put dns requests over a vpn you can see a good amount about what is going on.

 

 

My goal with the VPN is to hide my traffic from my ISP.

I am right now putting my dns requests over a vpn, but if I got a PiHole then that would function as my DNS.

Which then I dont know if my VPN does anything at that point.

[Electronics Wizardy]

2 minutes ago, Zaproid said:

My goal with the VPN is to hide my traffic from my ISP.

I am right now putting my dns requests over a vpn, but if I got a PiHole then that would function as my DNS.

Which then I dont know if my VPN does anything at that point.

pihole also supports dns over https, so then they can't see the dns requrests.

 

Normally the vpn has a option to run dns over their vpn, you can check this buy looking at options or doing a packet capture.

[Zaproid]

2 hours ago, Electronics Wizardy said:

pihole also supports dns over https, so then they can't see the dns requrests.

 

Normally the vpn has a option to run dns over their vpn, you can check this buy looking at options or doing a packet capture.

Apologies for the ignorance but what exactly is that last sentence saying?

I know I can change my VPN to run a different DNS over their own one, and this would be what I do for the pihole. But my question still remains as to if the vpn then does anything beneficial. I am wondering if it still encrypts my traffic after using a different dns?

 

I also have looked more into dns over https and I see that as an option. But I would prefer to keep my vpn operational if possible. As I trust my vpn provider and would still like to hide my requests from Cloudflare, which I don't think wouldn't be possible using DOH.

[Electronics Wizardy]

Just now, Zaproid said:

am wondering if it still encrypts my traffic after using a different dns?

if it is going to your pi hole, then the dns requests won't go over the vpn

 

1 minute ago, Zaproid said:

As I trust my vpn provider and would still like to hide my requests from Cloudflare, which I don't think wouldn't be possible using DOH.

You can't hid your dns requests from the dns provider, they will always see it, VPN or not, DOH or not. All of this is to hide things from a person in the middle.

 

DOH will make it so the ISP has no idea what dns requests are being made.

[Zaproid]

1 hour ago, Electronics Wizardy said:

if it is going to your pi hole, then the dns requests won't go over the vpn

 

You can't hid your dns requests from the dns provider, they will always see it, VPN or not, DOH or not. All of this is to hide things from a person in the middle.

 

DOH will make it so the ISP has no idea what dns requests are being made.

Perhaps I have a fundamental misunderstanding of how VPNs work then.

I know you cannot hide your dns requests. But what I thought was happening when running a VPN was that you first use the VPN's DNS, then any upstream DNS you need to connect to see the IP Address of the VPN, not your computer's personal IP Address. Making you more private/not immediately personally identifiable.

If I am running just a PiHole, I connect with my computer's IP Address to the PiHole DNS. Then any additional upstream DNS would still see my computer's IP Address asking them for info.

I thought it might be possible to first use the PiHole DNS, then "connect" to my VPN so all upstream traffic isn't identified with me.

the PiHole DNS will know it is me know matter what. I am concerned about post that. I could be completely off the mark with my thoughts here though.

 

Edit: Would it be possible to set upstream DNS to my VPN provider do you know? That seems like it would fix what I am looking for.

[Electronics Wizardy]

1 hour ago, Zaproid said:

Perhaps I have a fundamental misunderstanding of how VPNs work then.

I know you cannot hide your dns requests. But what I thought was happening when running a VPN was that you first use the VPN's DNS, then any upstream DNS you need to connect to see the IP Address of the VPN, not your computer's personal IP Address. Making you more private/not immediately personally identifiable.

If I am running just a PiHole, I connect with my computer's IP Address to the PiHole DNS. Then any additional upstream DNS would still see my computer's IP Address asking them for info.

I thought it might be possible to first use the PiHole DNS, then "connect" to my VPN so all upstream traffic isn't identified with me.

the PiHole DNS will know it is me know matter what. I am concerned about post that. I could be completely off the mark with my thoughts here though.

 

Edit: Would it be possible to set upstream DNS to my VPN provider do you know? That seems like it would fix what I am looking for.

Lots of vpn software has a exception for your lan network, so devices on your lan can connect, so thing like a nas, streaing to your tv, and administrating devices on your network still work. Since your pi-hole is on your local network, you can connect to it still, and those dns requests won't be affected by the vpn.

 

Basically your vpn on your computer won't touch the pihole traffic if you use pi hole.

 

One way to fix this is to run the vpn on your router, so every device goes over the vpn, no just your desktop

 

 

[AidenTheBotLol]

3 hours ago, Zaproid said:

Hello,

I am fairly new to networking and am struggling to understand exactly how VPNs and DNS interact.

 

I am currently running Mullvad VPN from my computer. I want to set up a PiHole for my entire network.

From my understanding I will be changing my router's DNS to be the PiHole so it can function as a DNS-level adblocker. My understanding of the VPN is that through using the VPN provider's DNS my ISP does not see my queries and my traffic is encrypted. If I wanted to use both my VPN and a PiHole I can manually change the DNS for the VPN to be my PiHole DNS.

 

My confusion then arises from how the VPN would interact with the PiHole as my DNS.

Will the VPN encrypt my traffic after the PiHole DNS as it travels to other upstream DNS and eventually wherever I am trying to reach?

Or will my VPN now be worthless as my traffic would not be encrypted and my ISP and all other upstream DNS would see it?

Okay so most of the time you can use both a VPN and your own DNS server like cloudflares 1.1.1.1 which is what I do with my PIA on my phone, (I choose the 1.1.1.1 DNS from cloudflare for the privacy but I am also planning on installing a Pi-Hole network that caches IPS and other important info) now in most VPN settings you can just change it so that you can use your local DNS server or to whatever you want. What you can also do if you don't want to use cloudflares DNS is to figure out the DNS ips for Mullvad and set it on the Pi-Hole then from their it would block the ads plus encrypt your data.

[Electronics Wizardy]

14 minutes ago, AidenTheBotLol said:

Okay so most of the time you can use both a VPN and your own DNS server like cloudflares 1.1.1.1 which is what I do with my PIA on my phone, (I choose the 1.1.1.1 DNS from cloudflare for the privacy but I am also planning on installing a Pi-Hole network that caches IPS and other important info) now in most VPN settings you can just change it so that you can use your local DNS server or to whatever you want. What you can also do if you don't want to use cloudflares DNS is to figure out the DNS ips for Mullvad and set it on the Pi-Hole then from their it would block the ads plus encrypt your data.

setting the pihole to the vpns dns won't affect anything, and probably wont work as the pihole won't be on a vpn.

 

If you use a public dns server, it will normally run over the vpn, but if its on your lan it will normally not go over the vpn

[Tedstonegenious]

If you point your VPN's DNS settings to pi-hole, then pi-hole will act as your DNS resolver. If Pi hole lets the address through, it will send it towards whatever DNS you tell it to in the settings. This will make the DNS resolver effectively bypass the VPN. If you want pi-hole to also go through the VPN. You'll have to set up a separate VPN client on the same machine running pi-hole and point Pi-hole to go through that.