DietPi + AdGuard Home + Unbound, how to place this behind VPN at router level

Everything works as expected. I have a firewalla gold and have configured PIA (with OpenVPN) enabled so I can place clients behind this VPN at the router level. If I place the dietpi machine with unbound behind this VPN from my routers settings, will unbound still work as a recursive resolver but send its requests to the root name servers from my VPN IP? When I try it out, nothing resolves unless i toggle off “Force DNS over VPN” in the router VPN settings. But now I only see the VPN’s DNS provider when I go to DNS leak test, is this the expected behavior? I’m not sure how, I just want to verify that my request would go to the dietpi, adguard filter, unbound cache, then to the VPN for the root server request?

Welcome to our comminuty.

Basically you need to ensure that your network clients use AGH as DNS server. Usually this is done via DHCP settings. This way you should see DNS request arriving AGH.

AGH will forward all request to Unbound and Unbound will ask the global DNS root server. Usually traffic will go via the assigned gateway. I guess this should be the firewalla gold device.

I’m not 100% sure if and how firewalla would need to be configured to allow DNS request to pass.

So with everything setup (AGH/Unb) I can point a few different networks to my pi machine as the Primary DNS Server and it all works - DNS reqests resolve, DNS Leak Test shows my own IP as the DNS server and only finds the 1. I set it up following this and actually the comment below is me sharing my setup:

In the firewalla app, it directly supports VPN at the router level and I can choose which devices connect through that VPN. So when I apply the VPN connection to the pi machine, no DNS on the network will resolve with the default setting of “Force DNS over VPN” on. I have to toggle off “Force DNS over VPN”, then I can get DNS to resolve over the whole network. DNS Leak test shows my normal IP, but then shows the VPN IP as the DNS server.

I think that this means unbound is communicating to the DNS root servers via the VPN connection, and still acting as a recursive DNS resolver, but I am not sure. I don’t want all of my DNS lookups just going to the VPN DNS server, I still want unbound to act as its own recursive resolver and communicate with the root servers directly - just do that through the VPN connection. I hope I am explaining my question more clearly.

You need to look from your network clients point of view. The network clients will always use the DNS server assigned via DHCP. For the network client it doesn’t matter how the DNS server (in your case AGH) is managing the DNS request. If your network clients will have AGH assigned as DNS server, they will use AGH. And AGH has configured to use Unbound. Means AGH will forward request to Unbound.

I think I understand everything you are saying. And I do have it set up that way which is the standard way.

When I look online for posts like “how to see if Unbound is working”, usually people point to a DNS leak test and check to see if my own IP is listed as the DNS server. This works fine, but when I have a VPN applied to that machine, this way of checking if unbound is working does not really work, since it just shows the DNS server the VPN uses. Is there another way to check if unbound is working recursively and communicating with the root servers through the VPN, or if its just forwarding DNS requests to the VPN?

Just switching thinks on your Firewalla, will not change the way how your network clients will resolve DNS request. As well it will not change the way how AGH is communicating with Unbound. This all will stay untouched. Means, it’s all working same way. Probably this is a behaviour of your Firewalla device.