- Aug 16, 2021
Ive been using a pihole for years, love it and couldnt be without it! but only recently added "unbound" a secure DNSSEC recursive server onto my pi... just wanted to share something I have done that forces ANY device or user that tries to use a common public dns server ip through my pihole/unboundjust because your dhcp server will give out the pihole as its DNS server does not mean all devices will actually honour that and use the pihole for DNS, also anyone can manually change their DNS to bypass.... the below may help if you want to stop this,
(some mobile devices and especially google chromecast & mini devices for example are hardcoded to use 18.104.22.168/22.214.171.124.)) you will likely NOT see anything from these devices in your pihole, there are other devices out there which no doubt do the same (huwawei etc.)
Now this is how I have my DNS configured to ensure that there is not or cannot be any DNS leaks, additionally that anyone on my network even if they try to set as a common public dns server cannot bypass the pihole. (they could if its an obscure or public dns... or they could just dial a vpn!)
Firstly setup unbound on your pi, in recursive mode... this way YOU are your own recursive DNS server, you no longer need ANY public dns servers
unbound - Pi-hole documentation
Next step (you will need to have a router that can support static routes (most do!)
Gather a list of all the public DNS servers you can find... 126.96.36.199/188.8.131.52/184.108.40.206/220.127.116.11 etc ect there is a LOT but just get the most common/popular ones and create static routes for each
route 18.104.22.168/32 to next hop 192.168.x.x (with this being your pihole ip)
route 22.214.171.124/32 to next hop 192.168.x.x (with this being your pihole ip)
do this for ALL the common public dns providers you can. yes its a bit of work, but once done, you have less chance of any device leaking through a hard coded public DNS server, and also stops users on the network bypassing your pihole .
e.g if someone wanted to bypass the restictions in your ad/blocklists (for example they wanted to get on a porn site and you had the porn blocks in place) - they could easily just manually change their dns server to a public one .. (or they could of course just dial a vpn!)
with the static routes in place at your router level... no matter if they set their device to use 126.96.36.199 their dns traffic would still get routed through the pihole.
#another Better option (no need for all the routes) but depending on your router/skill level is to use DNAT to direct ALL udp53 to the specific IP of your pihole/unbound server