In the cloned pi-hole vm be sure to set the dns IPs to dns servers that are used by your vpn.
could you tell me how to do it please? I have a protonvpn vpn,
i’m ashamed, i don’t know, how to set the dns ip addresses to the dns servers used by my vpn. as I am not a pro I believe that my sys-vpn machine does not act as a dns server, it just acts as a vpn
I’m referring to the dns IP addresses that you have to provide to pi-hole. Instead of choosing a brand name dns provider (eg, Quad9, Cloudflare, etc…) you should enter two custom IP addresses provided by proton. I don’t have these offhand, but I found them at one point just by searching for dns & proton vpn.
I searched a lot I can’t find them, the public dns of the other providers I find them in an instant, protonvpn I don’t understand why I can’t find them, also in network manager of my sys-vpn there isn’t are not and in /etc/resolv.conf I find name servers which are given by qubes os I don’t know any command which allows me to display the dns in question, it’s really complicated
Qubes handles dns in a way I still don’t fully grasp, so I appreciate that it feels complicated. When it comes to pihole it’s simple though. In the admin interface just choose Settings > DNS and enter the IP addresses.
You may have better luck searching Reddit for the DNS server IPs. Here are a couple of links that may point you in the right direction:
Sorry, I cannot comment to your leaks issue. My proposal was to use your own DNS service. No need for VPN DNS, no need for encrypted DNS. To me it is a super cool feature of the pi-hole. Worth testing.
this is what i’m using right now, isn’t this my own dns service?
pihole and install with nextdns, because there are several pihole installation tutorials, I followed the one with nextdns.
and I didn’t quite understand what you mean by my own dns?
It’s hard to know for sure without seeing the test results, but it sounds like retaining the nextdns servers in your cloned pihole is the reason for the failed dns leak test. You should only use the IPs provided by proton in the pihole that sits behind the vpn vm. I’m not sure how the test would interpret use of unbound, but I agree that its super cool.
I have been struggling to set this up ecently and your instruction file was exactly what I needed (just changed to non minimal debian-11, where indeed stopping and disabling resolvconf was not needed - I also commented out the access to pi-hole webui from other VM, following the comments you provided into qubes-firewall-user-script).
Your post should be marked as solution for this thread
Also thanks for that epic adlist ! It’s really useful !
Thanks @unman for this amazing task-gui tool.
I used it for installing sys-pihole. The installation process went fine, without errors. However I don’t have any connectivity with the pihole qube, for the obvious reason that all its interfaces are down. Below is the output:
user@sys-pihole in ~ $ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 00:16:3e:5e:6c:00 brd ff:ff:ff:ff:ff:ff
Note that in my qubes-manager, the sys-pihole has a correct IP address assigned: 10.137.0.53
Since I have not looked at the .sls files and .sh scripts too much, I prefer to ask here first if you know how to solve this.
Thanks for the support.
Thanks a lot for the instructions of @TheGardner, this worked great. I have one minor issue with beeing forced to manually restart unbound after hibernation, but this is quite erratic. Hope to trace it down with logging when I have patience for this.
@unman was providing his salt formula package for sys-pihole as a drop-in for the firewall. Forgive me that I do not quite grasp the full picture, but I wonder if it is possible to include the firewall in @TheGardner 's approach as well? Or vice versa, include unbound with DNSSEC in @unman 's sys-pihole? I tried to reconstruct what happens with the salt formulaes, but after some hours comparing the setups I still don’t get it (still a newbie).
My feeling tells me that localhost is then double-used (for dns and firewall), so it would not work… Any insight appreciated.
The version of sys-pihole I ship has firewall incorporated.
Rather than use unbound it uses Quad9 for DNS with DNSSEC enabled.
I’m not sure I see any great advantage in using unbound, but if you
want it should be straightforward to implement.