So I found out recently that I’m getting DNS leaks through my pihole, which defeats the purpose of me using a VPN. Is there a way to ignore the pihole when connected to a VPN, or set it up so my ISP cannot, in any way, shape, or form, see my DNS queries? I tried to set up dnscrypt-proxy, but it didn’t work. Honestly, I’m quite the newbie when it comes to this stuff. I’d also like a reliable way to test if it works or not.
OS is Debian Bullseye.
Edit: I figured it out. The way I had it set up on my router, all traffic went through the pihole regardless, which caused the DNS leak.
For starters, a VPN should not use Pihole by default… many of them don’t even allow to use a seperate DNS. But in my opinion that’s a good thing as that means ads are still blocked!
So I will assume you trust your Pihole, the only problem is when Pihole is looking up for a domain online.
If you encrypt Pihole’s resolutions, the only not-encrypted part will be between Pihole and the client, but that’s your own infrastructure (and to be fair the only way to use Pihole as a standard resolver).
You should look up how to setup Unbound or Cloudflare as Pihole’s resolver, instead of a regular resolver (in practice, 127.0.0.1:xxxx instead of a WAN address on port 53).
What you are looking for is DNS-over-TLS (DoT, port 853) resolution, or the special case of DNS-over-HTTPS (DoH, port 443) that disguise DoT as regular internet traffic.
Note that your ISP can still see that you’re reaching known DoT resolvers and VPN providers, and will deduce you’re trying to be sneaky. They will simply be unable to see or change what end-services you are reaching.
The ISP has also the power to block port 853 (at which point you’ll need DoH) or cut access to those specific servers to “force” you into using less secure techs.
You didn’t really clarify your setup.
Is the Debian box VPN’d out? Or something else on your network?
Here is what I would expect to happen(just as background OP and because you said you’re new to networking):
- Machine connects to your network (or phone or whatever)
- It gets a DHCP assigned address. As part of the DHCP options it gets your pihole address
- Now it can communicate on your network and on the internet
- You turn on and connect to your VPN
- The machine now has 2 addresses. 1 on your network, 1 from the VPN provider
- The VPN provider should also be assigning DNS as part of it’s VPN IP
- The client should use the DNS provided by the VPN provider as a default
So, in my experience, unless you messed around with hard coded DNS entries, this should all work smoothly.
Please explain more about your config and I’m sure people can help 
Good luck!
That sounds useful, but could you simplify it a bit? What do I actually need to do in the interface?
edit: Is this good? https://i.imgur.com/wPWQEug.png
Again, absolute newbie, sorry.
I have the pihole on my raspberry pi, and the VPN works from my debian PC. I’m not sure what else I did. (again, absolute newbie).
What I know is that when I look at the pihole’s log, I see traffic that happened while connected to the VPN and labelled as “Insecure”.
Sadly I don’t know enough to help. I’m using Unbound in authoritative mode, not for DoT. 
Pihole doesn’t support DoT itself, but the interface allows to call a resolver on any port, including its own machine.
What you will need to do is
0) Find 1 good guide about how to setup DoT on Pihole, rather than reading a random redditor
- Find a trusted DoT/DoH resolver.
- Install a seperate DNS software capable of contacting DoT resolvers (I know Cloudflared by name, I think Unbound is able to use it too?), listening on another port
- Configure said software to use your DoT resolver
From there, your server will have two DNS resolvers, one on port 53 (Pihole) and your new DoH resolver on another port (let’s say 3553). Check with dig, nslookup, etc. that the secondary resolver is able to gather domains correctly. (If the port is only for the loopback adress, you will need to check from the server!)
Note that until now you didn’t touch Pihole in any way, simply setting another service on the same server with a different port
- In Pihole’s resolver list, replace it with 127.0.0.1:3553 so that all “outside” queries are sent to your secondary resolver.
If everything is done well, this is what will happen :
- Client needs a domain and asks Pihole on port 53 (unencrypted, regular DNS happens on the LAN).
- Pihole doesn’t block the domain but doesn’t know it and asks its resolver on 127.0.0.1 (“unencrypted” but doesn’t exit the machine)
- Secondary resolver doesn’t know the domain and asks the DoT resolver (encrypted request to the outside world)
- The DoT resolver asks to the authoritative servers (unencrypted, regular DNS which can’t be tied to you)
Is that something I absolutely have to do though? Sounds pretty complex, tbh.
In theory it’s not complex if you have a good guide with good sample configurations… setting up unbound for recursive checking was so easy I don’t even remember it!
I think I found one guide, but I can’t vouch for it.
https://bartonbytes.com/posts/configure-pi-hole-for-dns-over-tls/
[EDIT] Hey, it’s so easy I’ll probably try to do it this week-end! I just need to check if I can have two unbounds for my needs…
