Resolved: Pihole for VPN-Clients (Prioritization of DNS-Server)

capote · February 11, 2021, 1:48pm

Today I want to continue tinkering with my LAN/VPN configuration:

Objectives:

all clients dialed in via VPN should use Pihole as DNS resolver
should not only the VPN client but the entire end device be assigned an IP from the address range of the VPN incl. DNS server via DHCP?

Current state:

LAN: 192.168.3.0/24
Gateway: 191.683.1
DNS-Server (piHole) 192.168.3.3

Roadwarrior-VPN:

Auth-Mode: User/PW
Network: 10.99.10.0
Netmask: 255.255.255.0
Contact this server on public IP / host: vpn.mydomain.de (the IP is regularly updated with my dynamic IP of my router)
Protocol: UDP
Port: 1194
Compression: no
Digest: Auto
Cipher: Auto
Enforce a minimum TLS version: Auto
Allow client-to-client network traffic: yes

Static routes:

Push all static routes: yes
Route all client traffic through VPN: n0
Custom routes: 192.168.3.0/24
Topology: subnet

Extra parameters

Push DHCP options: yes
DHCP Domain: lan.home
DHCP DNS: 192.168.3.3
DHCP WINS:
DHCP NBDD:

Account configuration:

DHCP configuration

Reserved IP: 10.99.10.31

Remote network:

VPN Remote network:
VPN Remote netmask:

Local Client Configuration:

Network connection established via personal hotspot of my iPhone

WAN-IP 80.###.##.##
LAN-IP : 172.20.10.6
DNS: 172.20.10.1

Szenario 1

VPN-Client (macOS): Viscosity

Connection settings: Auto

Serer:

Domains:

DNS settings assigned to the VPN server: yes

Connection-Log:

2021-02-11 14:21:39: Viscosity Mac 1.9.1 (1563)
2021-02-11 14:21:39: Viscosity OpenVPN Engine Started
2021-02-11 14:21:39: Running on macOS 11.2.1
2021-02-11 14:21:39: ---------
2021-02-11 14:21:39: State changed to Connecting
2021-02-11 14:21:39: Checking reachability status of connection...
2021-02-11 14:21:39: Connection is reachable. Starting connection attempt.
2021-02-11 14:21:39: OpenVPN 2.4.10 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Jan 18 2021
2021-02-11 14:21:39: library versions: OpenSSL 1.1.1i 8 Dec 2020, LZO 2.10
2021-02-11 14:21:39: Resolving address: vpn.mydomainde
2021-02-11 14:21:39: Valid endpoint found: 93.###.##.##:1194:udp
2021-02-11 14:21:39: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2021-02-11 14:21:39: TCP/UDP: Preserving recently used remote address: [AF_INET]93.###.##.##:1194
2021-02-11 14:21:39: UDP link local: (not bound)
2021-02-11 14:21:39: UDP link remote: [AF_INET]93.###.##.##:1194
2021-02-11 14:21:39: State changed to Authenticating
2021-02-11 14:21:40: [NethServer] Peer Connection Initiated with [AF_INET]93.###.##.##:1194
2021-02-11 14:21:41: Opened utun device utun10
2021-02-11 14:21:41: /sbin/ifconfig utun10 delete
2021-02-11 14:21:41: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2021-02-11 14:21:41: /sbin/ifconfig utun10 10.99.10.31 10.99.10.31 netmask 255.255.255.0 mtu 1500 up
2021-02-11 14:21:41: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2021-02-11 14:21:41: Initialization Sequence Completed
**2021-02-11 14:21:41: DNS mode set to Split**
2021-02-11 14:21:41: WARNING: Split DNS is being used however no DNS domains are present. The DNS server/s for this connection may not be used. For more information please see: https://www.sparklabs.com/support/kb/article/warning-split-dns-is-being-used-however-no-dns-domains-are-present/
2021-02-11 14:21:41: State changed to Connected

Outcome: negative

macOS-IP: IP of my mobile IPS
DNS-Server: 72.20.10.1
DIG anything: ;; SERVER: 172.20.10.1#53(172.20.10.1)
Ping 192.168.3.3: ok

Szenario 2

VPN-Client (macOS): Viscosity

Connection settings: Full-DNS (use VPN-DNS-Server)

Server:

Domains:

DNS settings assigned to the VPN server: yes

2021-02-11 14:27:18: Viscosity Mac 1.9.1 (1563)
2021-02-11 14:27:18: Viscosity OpenVPN Engine Started
2021-02-11 14:27:18: Running on macOS 11.2.1
2021-02-11 14:27:18: ---------
2021-02-11 14:27:18: State changed to Connecting
2021-02-11 14:27:18: Checking reachability status of connection...
2021-02-11 14:27:18: Connection is reachable. Starting connection attempt.
2021-02-11 14:27:18: OpenVPN 2.4.10 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Jan 18 2021
2021-02-11 14:27:18: library versions: OpenSSL 1.1.1i 8 Dec 2020, LZO 2.10
2021-02-11 14:27:18: Resolving address: vpn.mydomainde
2021-02-11 14:27:18: Valid endpoint found: 93.###.##.##:1194:udp
2021-02-11 14:27:18: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2021-02-11 14:27:18: TCP/UDP: Preserving recently used remote address: [AF_INET]93.###.##.##:1194
2021-02-11 14:27:18: UDP link local: (not bound)
2021-02-11 14:27:18: UDP link remote: [AF_INET]93.###.##.##:1194
2021-02-11 14:27:18: State changed to Authenticating
2021-02-11 14:27:19: [NethServer] Peer Connection Initiated with [AF_INET]93.###.##.##:1194
2021-02-11 14:27:19: Opened utun device utun10
2021-02-11 14:27:19: /sbin/ifconfig utun10 delete
2021-02-11 14:27:19: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2021-02-11 14:27:19: /sbin/ifconfig utun10 10.99.10.31 10.99.10.31 netmask 255.255.255.0 mtu 1500 up
2021-02-11 14:27:19: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2021-02-11 14:27:19: Initialization Sequence Completed
**2021-02-11 14:27:19: DNS mode set to Full**
2021-02-11 14:27:20: State changed to Connected

Outcome: negative

macOS-IP: IP of my mobile IPS
DNS-Server: 72.20.10.1
DIG anything: ;; connection timed out; no servers could be reached
Ping 192.168.3.3: ok

Szenario 3

VPN-Client (macOS): Viscosity

Connection settings: Full-DNS (use VPN-DNS-Server)

Server: 192.168.3.3

Domains: lan.home

DNS settings assigned to the VPN server: yes

2021-02-11 14:32:39: Viscosity Mac 1.9.1 (1563)
2021-02-11 14:32:39: Viscosity OpenVPN Engine Started
2021-02-11 14:32:39: Running on macOS 11.2.1
2021-02-11 14:32:39: ---------
2021-02-11 14:32:39: State changed to Connecting
2021-02-11 14:32:39: Checking reachability status of connection...
2021-02-11 14:32:39: Connection is reachable. Starting connection attempt.
2021-02-11 14:32:39: OpenVPN 2.4.10 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Jan 18 2021
2021-02-11 14:32:39: library versions: OpenSSL 1.1.1i 8 Dec 2020, LZO 2.10
2021-02-11 14:32:39: Resolving address: vpn.mydomainde
2021-02-11 14:32:39: Valid endpoint found: 93.###.##.##:1194:udp
2021-02-11 14:32:39: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2021-02-11 14:32:39: TCP/UDP: Preserving recently used remote address: [AF_INET]93.###.##.##:1194
2021-02-11 14:32:39: UDP link local: (not bound)
2021-02-11 14:32:39: UDP link remote: [AF_INET]93.###.##.##:1194
2021-02-11 14:32:39: State changed to Authenticating
2021-02-11 14:32:40: [NethServer] Peer Connection Initiated with [AF_INET]93.###.##.##:1194
2021-02-11 14:32:40: Opened utun device utun10
2021-02-11 14:32:40: /sbin/ifconfig utun10 delete
2021-02-11 14:32:40: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2021-02-11 14:32:40: /sbin/ifconfig utun10 10.99.10.31 10.99.10.31 netmask 255.255.255.0 mtu 1500 up
2021-02-11 14:32:40: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2021-02-11 14:32:40: Initialization Sequence Completed
**2021-02-11 14:32:40: DNS mode set to Full**
2021-02-11 14:32:40: State changed to Connected

Outcome: positve

macOS-IP: IP of my mobile IPS
DNS-Server: DNS-Server of my IPS 72.20.10.1
DIG anything: ;; SERVER: 192.168.3.3#53(192.168.3.3)

What can I do, so that my server provides all clients with a configuration that mandates the use of the VPN DNS server (Pihole).

Sincereley, Marko

Andy_Wismer · February 11, 2021, 1:58pm

@capote

Hi Marko

In Viscosity, this option can be set - Note: This can be forced from the server side!

The same option is also available for the iOS client (And also for the Android client).

My 2 cents
Andy

royceb · February 11, 2021, 2:01pm

Can you force only the DNS settings for the split tunnel VPN? In Pfsense there is a feature that does this but it lists Windows 10 as the only OS that this works with.

Andy_Wismer · February 11, 2021, 2:09pm

@royceb

Hi Royce!

OPNsense does provide for a lot of options preset from the server side:

For NethServer there are the needed options…

I will again test and verify it works eg for a Mac / Linux.

My 2 cents
Andy

royceb · February 11, 2021, 2:25pm

I’m a dork and didn’t read/understand this post better.

capote · February 11, 2021, 6:01pm

@Andy_Wismer
Hi Andy, I don’t want to send all traffic over VPN, but only traffic to the remote network, including DNS requests. The internet traffic should be routed directly.

I remembered our old discussion:

That is why I have not enabled this option. Or have I misunderstood this option?
Best regrads, Marko

Andy_Wismer · February 11, 2021, 6:05pm

@capote

No, that was in specific answer to Royce…

capote · February 11, 2021, 7:32pm

Now I am confused…
How do I configure Roadwarrior to route my VPN clients’ DNS requests to my Pihole?
I don’t really want to have to set anything client-side.
Sincerely, MArko

royceb · February 11, 2021, 8:37pm

Wouldn’t it come down to who gets priority of your DNS because you are using split tunneling and not routing all of your traffic through the VPN; IE.172.20.10.1 vs 192.168.3.3? Is your end objective to have all DNS routed to your Pihole from the endpoint when connected to the VPN?

capote · February 12, 2021, 6:23am

Yes, that is the main objective. And the DNS requesting should be controlled by the server configuration via VPN profile, not in the client. Using Viscosity was just an experiment to test the behavior in general.

By the way, the big mystery is that it already worked in a previous configuration of the server a year ago. I actually thought I had configured the VPN serer identically… But I must have done something wrong.

who gets priority of your DNS

If this would be the solution, where can I set this priority (on the server side)?

capote · February 12, 2021, 1:06pm

Senario 1:


~# scutil --dns                            
DNS configuration
resolver #1

search domain[0] : lan.home

nameserver[0] : fe80::a8:9e77:a710:8d1e%en0

nameserver[1] : 172.20.10.1

if_index : 6 (en0)

flags    : Request A records, Request AAAA records

reach    : 0x00020002 (Reachable,Directly Reachable Address)
resolver #2

domain   : lan.home

nameserver[0] : 192.168.3.3

flags    : Supplemental, Request A records, Request AAAA records

reach    : 0x00000002 (Reachable)

order    : 101800
resolver #3

domain   : local

options  : mdns

timeout  : 5

flags    : Request A records, Request AAAA records

reach    : 0x00000000 (Not Reachable)

order    : 300000
resolver #4

domain   : 254.169.in-addr.arpa

options  : mdns

timeout  : 5

flags    : Request A records, Request AAAA records

reach    : 0x00000000 (Not Reachable)

order    : 300200
resolver #5

domain   : 8.e.f.ip6.arpa

options  : mdns

timeout  : 5

flags    : Request A records, Request AAAA records

reach    : 0x00000000 (Not Reachable)

order    : 300400
resolver #6

domain   : 9.e.f.ip6.arpa

options  : mdns

timeout  : 5

flags    : Request A records, Request AAAA records

reach    : 0x00000000 (Not Reachable)

order    : 300600
resolver #7

domain   : a.e.f.ip6.arpa

options  : mdns

timeout  : 5

flags    : Request A records, Request AAAA records

reach    : 0x00000000 (Not Reachable)

order    : 300800
resolver #8

domain   : b.e.f.ip6.arpa

options  : mdns

timeout  : 5

flags    : Request A records, Request AAAA records

reach    : 0x00000000 (Not Reachable)

order    : 301000
DNS configuration (for scoped queries)
resolver #1

nameserver[0] : fe80::a8:9e77:a710:8d1e%en0

nameserver[1] : 172.20.10.1

if_index : 6 (en0)

flags    : Scoped, Request A records, Request AAAA records

reach    : 0x00020002 (Reachable,Directly Reachable Address)

resolver #2 search domain[0] : lan.home nameserver[0] : 192.168.3.3 if_index : 18 (utun10) flags : Scoped, Request A records reach : 0x00000002 (Reachable)

Szenario 2


~# scutil --dns                          
DNS configuration
resolver #1

search domain[0] : lan.home

nameserver[0] : 192.168.3.3

flags    : Request A records

reach    : 0x00000002 (Reachable)
resolver #2

domain   : lan.home

nameserver[0] : 192.168.3.3

flags    : Supplemental, Request A records

reach    : 0x00000002 (Reachable)

order    : 100800
resolver #3

domain   : local

options  : mdns

timeout  : 5

flags    : Request A records

reach    : 0x00000000 (Not Reachable)

order    : 300000
resolver #4

domain   : 254.169.in-addr.arpa

options  : mdns

timeout  : 5

flags    : Request A records

reach    : 0x00000000 (Not Reachable)

order    : 300200
resolver #5

domain   : 8.e.f.ip6.arpa

options  : mdns

timeout  : 5

flags    : Request A records

reach    : 0x00000000 (Not Reachable)

order    : 300400
resolver #6

domain   : 9.e.f.ip6.arpa

options  : mdns

timeout  : 5

flags    : Request A records

reach    : 0x00000000 (Not Reachable)

order    : 300600
resolver #7

domain   : a.e.f.ip6.arpa

options  : mdns

timeout  : 5

flags    : Request A records

reach    : 0x00000000 (Not Reachable)

order    : 300800
resolver #8

domain   : b.e.f.ip6.arpa

options  : mdns

timeout  : 5

flags    : Request A records

reach    : 0x00000000 (Not Reachable)

order    : 301000
DNS configuration (for scoped queries)
resolver #1

search domain[0] : lan.home

nameserver[0] : 192.168.3.3

if_index : 18 (utun10)

flags    : Scoped, Request A records

reach    : 0x00000002 (Reachable)

resolver #2 nameserver[0] : fe80::a8:9e77:a710:8d1e%en0 nameserver[1] : 172.20.10.1 if_index : 6 (en0) flags : Scoped, Request A records, Request AAAA records reach : 0x00020002 (Reachable,Directly Reachable Address)

It seems that I can prioritize the DNS server by Viscosity.
But how is it possible to prioritize DNS servers on the VPN-server side so that the DNS server delivered via DHCP gets the highest priority?
Because even if I can manually control the prioritization for the macOS clients via Viscosity, as far as I know I can’t do it on the iOS devices.

royceb · February 12, 2021, 3:53pm

I added the following lines to my NS /etc/openvpn/host-to-net.conf

push "block-outside-dns"
push "register-dns"

Restart OpenVPN service to test temp changes to see if they work

/usr/bin/systemctl restart openvpn@host-to-net

After the modifications and restarting the Road Warrior service my Windows10 VPN users are blocking outside DNS without it being added in the client side config file.

I’ve also deployed the same VPN setup on a PoP_OS VM and I can confirm custom DNS entries & look ups are working. As of now the block-outside-dns command has to be added manually (no box to check within Cockpit to add this; possible feature request) to the host-to-net template for permanent retention. This may not be as useful as I would hope it to be, from what I am reading OpenVPN introduced the block-outside-dns function to prevent Windows 10 DNS leaks. Sparklabs has a support post that makes me think you are going to have to manually set your Viscosity client DNS to Full Mode while using split tunnel VPNs.

EDIT - Need more testing; didn’t add Pi-Hole to my setup.

capote · February 12, 2021, 11:42pm

Yes, I read it too and changed my settings. But the server config is still not used, I had to configure Viscosity manually - also if I deactivate “ignore VPN-Server settings”.

Thank you for your hint with host-to-net.conf. I will try it.

royceb · February 12, 2021, 11:44pm

Typical FYI if you want the changes to be permanent you’d have to copy & expand the custom host-to-net template. I’m very new to this concept and would reach out to @Andy_Wismer if you get stuck on this last part.

capote · February 13, 2021, 10:29am

I don’t think I see any difference with your setup

Yours:
System >> DNS-Record: 2.2.2.2 (your preferred DNS-Server)

My setup:

System >> Dashboard >> DNS:192.168.3.1, 8.8.8.8
System >> DNS inside of DHCP-Server: 192.168.3.3 (pihole)

System >> DNS-Record: pihole.lan.home 192.168.3.3

within LAN:

with VPN with automatically configured Viscosity (surprising):

also surprising now:

Whats I did / changed??? To make the screenshot of my DHCP config, I saved the DHCP configuration again.
Should this resolves the problems?

But my Open-VPN-Client on the iPhone don’t use the Pihole (192.168.3.3)

I’m really cofused…

have to copy & expand the custom host-to-net template

I have not yet dared to use the template concept due to a lack of skills.
In this respect, it would be good if someone else could take on this topic.

@Andy_Wismer uses both (VPN and Pihole) with him. But I do not know if he makes the Pihole also available to his VPN clients.

capote · February 13, 2021, 3:50pm

royceb:

I added the following lines to my NS /etc/openvpn/host-to-net.conf
push "block-outside-dns"
push "register-dns"
Restart OpenVPN service to test temp changes to see if they work

/usr/bin/systemctl restart openvpn@host-to-net

I tried it:

my OpenVPN-Client on my iPhone gets all provided configuration:
2021-02-13 17:34:48 Sending PUSH_REQUEST to server…

2021-02-13 17:34:49 OPTIONS: 0 [dhcp-option] [DOMAIN] [lan.home] 1 [dhcp-option] [DNS] [192.168.3.3] 2 [dhcp-option] [WINS] [10.99.10.1] 3 [dhcp-option] [NBDD] [10.99.10.1] 4 [dhcp-option] [NBT] [2] 5 [block-outside-dns] 6 [register-dns] 7 [route] [192.168.3.0] [255.255.255.0] 8 [route] [192.168.3.0] [255.255.255.0] 9 [route-gateway] [10.99.10.1] 10 [topology] [subnet] 11 [ping] [20] 12 [ping-restart] [120] 13 [ifconfig] [10.99.10.93] [255.255.255.0] 14 [peer-id] [0] 15 [cipher] [AES-256-GCM] 16 [block-ipv6]
But the iPhone did not use the Pihole as DNS server and uses one with IPV6 address instead.

Is the duplicated push route suspicious?

capote · February 13, 2021, 5:11pm

added some information above.

royceb · February 14, 2021, 12:06am

Andy gave us the answer here as a quick how to.

Step 1 - Create directory for host-to-net.conf template

mkdir -p /etc/e-smith/templates-custom/etc/openvpn/host-to-net.conf/

Step 2 - Copy template files to new directory

cp -r /etc/e-smith/templates/etc/openvpn/host-to-net.conf/* /etc/e-smith/templates-custom/etc/openvpn/host-to-net.conf/

Step 3 - Add desired configuration to file within new custom-templates directory

nano /etc/e-smith/templates-custom/etc/openvpn/host-to-net.conf/customDNSsettings

push "block-outside-dns"
push "register-dns"
#Royce was here

Save your edited file. NOTE the name is arbitrarily set (the CustomDNSsettings name can be labeled whatever you want).

Step 4 - Exapnd the template to include the custom settings into Road Warrior VPN

expand-template /etc/openvpn/host-to-net.conf

Step 5 - Restart Road Warrior service

systemctl restart openvpn@host-to-net

On a side note I did some testing with my Android phone & PoP_OS VM with Pi-Hole as the DNS server. I found that even though I was connected to the VPN when I used utilities like dig & nslookup I would have my primary DNS (or whatever the app has hard coded) respond with an authoritative answer but when I pinged the address the Pi-Hole was used for resolution on my split tunnel VPN. As a test in Pi-Hole I created a custom DNS entry for google.com as an A record of 10.65.65.254. This makes me think that the DNS to the Pi-Hole may be working as intended but I cannot 100% validate it. See picture for results:

NS LAN - 10.22.0.1/24 acting as a gateway/router with RED interface of 10.0.99.125.
Pi-Hole - 10.22.0.3
OpenVPN Network - 10.22.22.0/24

OpenVPN RoadWarror Config

dev tunrw
server 10.22.22.0 255.255.255.0
ifconfig-pool-persist host-to-net.pool 0

UDP server

port 1194
proto udp
topology subnet

client-connect /usr/libexec/nethserver/openvpn-connect
client-disconnect /usr/libexec/nethserver/openvpn-disconnect
script-security 3
float
multihome
dh /var/lib/nethserver/certs/dh1024.pem
ca /etc/pki/tls/certs/NSRV.crt
cert /etc/pki/tls/certs/NSRV.crt
key /etc/pki/tls/private/NSRV.key
crl-verify /var/lib/nethserver/certs/crl.pem
client-to-client
push “dhcp-option DOMAIN nethsa.ga”
push “dhcp-option DNS 10.22.0.3”
push “dhcp-option WINS 10.22.22.1”
push “dhcp-option NBDD 10.22.22.1”
push “dhcp-option NBT 2”
push “route 10.22.0.0 255.255.255.0”

Authentication: certificate

status /var/log/openvpn/host-to-net-status.log
log-append /var/log/openvpn/openvpn.log

passtos
keepalive 20 120
client-config-dir ccd
persist-key
persist-tun
management /var/spool/openvpn/host-to-net unix
verb 3
push “block-outside-dns”
push “register-dns”

EDIT - further testing this on my Android OpenVPN connection I blacklisted Facebook.com with Wildcard and when connected to the VPN Facebook.com is unreachable on my android mobile device. Maybe the apps we are using for the nslookup/dig are just feeding us bad information and the VPN/DNS settings are working as expected?

Andy_Wismer · February 14, 2021, 11:35am

Hi

I’d think the above is true.
As the App designer can never be sure you have DNS working, they probably use a hard coded DNS like Google.
Better coding would be to test for a local DNS, if yes use it, if no report a message and use google or whatever!

My 2 cents
Andy

capote · February 14, 2021, 11:48am

Hy @royceb
I did it, thank you for you guidance.

I found that even though I was connected to the VPN when I used utilities like dig & nslookup I would have my primary DNS (or whatever the app has hard coded) respond with an authoritative answer

…perhaps the at my iPhone, that confused me.

Some test cases with blocked facebook.com, facebook.net, facebook.de
between each try I cleared the DNS-Cache

Case 1: MacBook connected via (W)LAN / no VPN:

scutil --dns DNS configuration
resolver #1
  search domain[0] : lan.home
  nameserver[0] : 192.168.3.3


marko@MacBook-Pro-16  ~  dig facebook.com                           ✔  572  11:16:53
; <<>> DiG 9.10.6 <<>> facebook.com

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18056

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:

;facebook.com.			IN	A
;; ANSWER SECTION:

facebook.com.		2	IN	A	0.0.0.0

;; Query time: 42 msec ;; SERVER: 192.168.3.3#53(192.168.3.3) ;; WHEN: Sun Feb 14 11:19:27 CET 2021 ;; MSG SIZE rcvd: 46

Case 2: MacBook connected via (W)LAN / + VPN:

scutil --dns DNS configuration
resolver #1
  search domain[0] : lan.home
  nameserver[0] : 192.168.3.3


 marko@MacBook-Pro16-VPN  ~  dig facebook.com                        ✔  574  11:22:59
; <<>> DiG 9.10.6 <<>> facebook.com

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40250

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:

;facebook.com.			IN	A
;; ANSWER SECTION:

facebook.com.		2	IN	A	0.0.0.0

;; Query time: 38 msec ;; SERVER: 192.168.3.3#53(192.168.3.3) ;; WHEN: Sun Feb 14 11:23:02 CET 2021 ;; MSG SIZE rcvd: 46

Case 3: MacBook connected via personal Hotspot an iPhone (no VPN on iPhone) / no VPN an MacBook Pro:


marko@MacBook-Pro-16  ~  scutil --dns DNS configuration             ✔  577  11:26:11
DNS configuration

resolver #1 nameserver[0] : fe80::c02:e61:9135:4a12%en0 nameserver[1] : 172.20.10.1


 marko@MacBook-Pro-16  ~  dig facebook.com                           ✔  578  11:26:16
; <<>> DiG 9.10.6 <<>> facebook.com

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42291

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;facebook.com.			IN	A
;; ANSWER SECTION:

facebook.com.		112	IN	A	69.171.250.35

;; Query time: 54 msec ;; SERVER: 172.20.10.1#53(172.20.10.1) ;; WHEN: Sun Feb 14 11:28:12 CET 2021 ;; MSG SIZE rcvd: 57

Case 4: MacBook connected via personal Hotspot an iPhone (VPN on iPhone) / no VPN on MacBook Pro:


marko@MacBook-Pro-16  ~  scutil --dns DNS configuration             ✔  582  11:30:16
DNS configuration

resolver #1 nameserver[0] : fe80::c02:e61:9135:4a12%en0 nameserver[1] : 172.20.10.1


 marko@MacBook-Pro-16  ~  dig facebook.com                           ✔  582  11:30:18
; <<>> DiG 9.10.6 <<>> facebook.com

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34097

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;facebook.com.			IN	A
;; ANSWER SECTION:

facebook.com.		264	IN	A	69.171.250.35

;; Query time: 52 msec ;; SERVER: 172.20.10.1#53(172.20.10.1) ;; WHEN: Sun Feb 14 11:31:10 CET 2021 ;; MSG SIZE rcvd: 57


 marko@MacBook-Pro-16  ~  ping facebook.com                          ✔  584  11:31:43
PING facebook.com (69.171.250.35): 56 data bytes
64 bytes from 69.171.250.35: icmp_seq=0 ttl=50 time=55.917 ms
64 bytes from 69.171.250.35: icmp_seq=1 ttl=50 time=39.596 ms

Case 5: iPhone with OpenVPN on iPhone
(Clearing DNS-Cache via Airplane Mode)

OpenVPN-Log:
2021-02-14 11:37:58 OPTIONS: 0 [dhcp-option] [DOMAIN] [lan.home] 1 [dhcp-option] [DNS] [192.168.3.3] 2 [dhcp-option] [WINS] [10.99.10.1] 3 [dhcp-option] [NBDD] [10.99.10.1] 4 [dhcp-option] [NBT] [2] 5 [route] [192.168.3.0] [255.255.255.0] 6 [route] [192.168.3.0] [255.255.255.0] 7 [block-outside-dns] 8 [register-dns]

iSH-Shell:
iPhone11Pro:~# ping facebook.de


PING facebook.de (2a03:2880 : f0ff: e: face:b00c:0:2)

56 data bytes

64 bytes from 2a03:2880: f0ff:e: face: b00c: 0:2: seq

=0 ttl=-1 time=30.997 ms

64 bytes from 2a03:2880: f0ff: e: face:b00c: 0:2: seq

=1 ttl=-1 time=31.749 ms

64 bytes from 2a03:2880: f0ff:e: face:b00c:0:2: seq

=2 ttl=-1 time=30.302 ms

64 bytes from 2a03:2880: f0ff: e: face: b00c: 0:2: seq

=3 ttl=-1 time=30.495 ms

^C

facebook.de ping statistics

4 packets transmitted, 4 packets received, 0% pac

ket loss

round-trip min/avg/max = 30.302/30.885/31.749 ms
iPhone11Pro:~# drill facebook.com

->>HEADER<<= opcode: QUERY, rcode: NOERROR, id

61372

flags: qr rd ra QUERY: 1, ANSWER: 1, AUTHORI

TY: 0, ADDITIONAL: 0

QUESTION SECTION:

facebook.com. IN A
ANSWER SECTION:

facebook.com. 69 IN A 69.171.25

0.35
AUTHORITY SECTION:
ADDITIONAL SECTION:
Query time: 43 msec

SERVER: 10.74.210.211

WHEN: Sun Feb 14 10:41:52 2021

MSG SIZE revd: 46


I verified  this behavior an a second iPhone with he same result after test case 6.
Case 6:  iPad  with OpenVPN on iPad

SENSATION

iPad-Pro:~# ping facebook.com PING facebook.com (0.0.0.0): 56 data bytes ping: sendto: Socket not connected
iPad-Pro:~# drill facebook.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 20708
flags: qr aa rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
QUESTION SECTION:
facebook.com. IN A
;; ANSWER SECTION:

facebook.com. 2 IN A 0.0.0.0
;; AUTHORITY SECTION:
ADDITIONAL SECTION:
Query time: 19 msec

SERVER: 192.168.3.3

WHEN: Sun Feb 14 10:49:50 2021

MSG SIZE revd: 46

iPad-Pro:~#


ping and drill Pihole is also successful possible.
Summary

VPN from my MacBook works as aspected
VPN from different iPhone misses
VPN from iPad works as aspected

… I’m still confused.
Probably I can find an answer on Google.

@royceb: Thank you for your attention.