DNS / PiHole / Mikrotik setup

[psykiller 0]

Hello,

I would like to double check about using correct DNS servers or use them the right way.

I have Mikrotik Router and using locally hosted Pihole docker with 2x DNS servers.
For VPN / airVPN i'm have Wireguard where was for Sweden profile defined AirVPN DNS = 10.128.0.1
So I temporary had 10.128.0.1 as main DNS, but seems like this was giving me issues with clients OUT of VPN (i have VPN Whitelist clients)


As I was setting up the connections it gave me strange issues with pages loading, locations...
So i've returned PiHole x.x.x.2 DNS and seems it's loading pages much better.
I also tried to add AirVPN DNS = 10.128.0.1 into PiHole DNS's , but was behaving strangely

Then today i found this post https://airvpn.org/specs/
"Every VPN server runs its own DNS server that directly finds out information about root servers, top level domains and authoritative name servers."

So now i'm NOT using AirVPN DNS = 10.128.0.1 in any setup and seems better so far.

Means that AirVPN DNS are not universal/open for each client, but somehow bonded to the VPN connection only?
Or there was some other issue with cached DNSs or whatever...?

----

Setting all VPN values right in Mikrotik is challenging so I just want to be sure what to do.

Thanks!
 

[OpenSourcerer 1467]

On 1/17/2025 at 12:57 PM, psykiller said:

Means that AirVPN DNS are not universal/open for each client, but somehow bonded to the VPN connection only?

To reach 10.128.0.1 (or rather AirDNS in general) you will need an active VPN connection, yes.

[psykiller 0]

Thanks for confirmation.

So i have those 2 options:

1. use  AirVPN DNS (10.128.0.1) for Active VPN connections only
For all the rest clients , I need to use NON-AirVPN DNS servers 

Not yet sure how to set it up on Router level (need to learn about it...)

2. Currently i'm using NON-AirVPN DNS servers via IPHole for all clients (VPN / Non-VPN)

Would this be reason on possible issues for client on VPN with loading pages, slowness on ip/name translation etc...?
---

As with other VPN provider i've used before, I could use their servers for all clients...

[psykiller 0]

After few weeks testing and setting it up, was able to setup rules on Mikrotik Router to 
- VPN connected clients use -> AirVPN DNS = 10.128.0.1
- noVPN connected clients use -> PiHole DNS

1. Is there a way how I can use my own hosted DNS - PiHole to route all traffic even the AiRVPN?
2. or in other words do I have to use  AirVPN DNS = 10.128.0.1 for VPN connected clients?or i can you any I live via PiHole - eg 8.8.8.8

thanks

[OpenSourcerer 1467]

13 hours ago, psykiller said:

1. Is there a way how I can use my own hosted DNS - PiHole to route all traffic even the AiRVPN?

DNS has nothing to do with traffic. If you want to route DNS via AirVPN (or even use AirDNS), connect to AirVPN on the PiHole machine and set the upstream DNS servers to AirDNS.

[psykiller 0]

Well, how I understood it:

VPN connected clients need to use
AirVPN DNS = 10.128.0.1

nonVPN connected clients will be not able to use
AirVPN DNS = 10.128.0.1
therefor any other like 8.8.8.8

---

of course I can setup PiHole DNS x.x.x.2 as the only DNS on Router, so it will force it for all clients
Then on PiHole set to use AirVPN DNS = 10.128.0.1 + some other in case of failure
But in this scenario NonVPN connected clients wont be able to access AirVPN DNS = 10.128.0.1

----

or it doesn't matter and the AirVPN DNS = 10.128.0.1 will work for all clients nonVPN & VPN connected?

[OpenSourcerer 1467]

On 2/10/2025 at 9:01 PM, psykiller said:

But in this scenario NonVPN connected clients wont be able to access AirVPN DNS = 10.128.0.1

Only if PiHole is connected to the VPN will upstream 10.128.0.1 work. Otherwise, all DNS requests will always be routed via the other upstream servers regardless of the VPN connection of clients in the network still using PiHole as its DNS server.
 

On 2/10/2025 at 9:01 PM, psykiller said:

or it doesn't matter and the AirVPN DNS = 10.128.0.1 will work for all clients nonVPN & VPN connected?

The connection status of the clients in the network doesn't matter. 10.128.0.1 is only reachable for VPN-connected clients. If PiHole connects to the AirVPN server, all clients in the network will be able to use 10.128.0.1 as their DNS server through PiHole.

[psykiller 0]

Hmm maybe my Network knowledge are not perfect
1. I don't see point to put local DNS "PiHole" to VPN, as clients on VPN are just slower vs normal-noVPN-internet. Will it affect also DNS / name resolution speed?
2. Maybe even less secure to expose DNS to internet

3. Another option is to set on Router level keep nonVPN clients via PiHole and rest VPN clients via 10.128.0.1
This way i'm loosing the stats and AD filtering from PiHole for VPN

4. What would happen in case if I set following on PiHole:
DNS1: AirVPN DNS = 10.128.0.1
DNS2: 8.8.8.8

4.1 nonVPN client will try DNS1 will not work so it goes to DNS2?
4.2 VPN client will use DNS1 (as is set as primary) optionally DNS2 ?
4.3 Or above rule will not work as the DNS Pihole is not set on router to use/conntect to VPN ? (assumption based on your statement)
4.4 Connecting PiHole IP to VPN will grant access for VPN and nonVPN clients to DNS1: AirVPN DNS = 10.128.0.1 ? (also assumption based on your statement)
 
In other VPN provider was no such restriction, so i'm bit suprised is that "restricted" now and I need to create additional rules around it


Anyway thanks for your patience & assistance ;)


 

[OpenSourcerer 1467]

On 2/13/2025 at 7:28 PM, psykiller said:

1. I don't see point to put local DNS "PiHole" to VPN, as clients on VPN are just slower vs normal-noVPN-internet. Will it affect also DNS / name resolution speed?

Subject to individual testing, I'd say.
 

On 2/13/2025 at 7:28 PM, psykiller said:

4. What would happen in case if I set following on PiHole:
DNS1: AirVPN DNS = 10.128.0.1
DNS2: 8.8.8.8

The FTL algorithm queries all servers and by doing so determines the quickest to respond, which will then be used for 1000 queries or 10 minutes barring exceptions (failures or timeouts). One could extrapolate from what it looks like in my network:

fritz.box is the router using ISP DNS servers, 71% usage. But even Quad9 gets to resolve 18% of queries. You might get something similar: Since Pi-Hole must be connected to the VPN, all queries will go through the VPN server where AirDNS will probably answer faster in 80% of cases, 20% Google Public DNS.
By the way, it is recommended to replace Google Public DNS with Quad9 for example (you can enable it in DNS settings; its v4 is 9.9.9.9).
 

On 2/13/2025 at 7:28 PM, psykiller said:

In other VPN provider was no such restriction, so i'm bit suprised is that "restricted" now and I need to create additional rules around it

That's because AirDNS is not a public DNS service. It's there for VPN clients, not for everyone to use.