PIA VPN DNS settings

A simple fix to resolve internal hostnames resolved by an Ipfire firewall.

PIA blocks DNS requests not executed against their own nameservers:

$ iptabes -L -n

Chain piavpn.310.blockDNS (1 references)
target     prot opt source               destination         
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53 reject-with icmp-port-unreachable

Chain piavpn.320.allowDNS (1 references)
target     prot opt source               destination         
ACCEPT     udp  --  0.0.0.0/0            209.222.18.222       udp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            209.222.18.222       tcp dpt:53
ACCEPT     udp  --  0.0.0.0/0            209.222.18.218       udp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            209.222.18.218       tcp dpt:53

Insert the following iptable rules to allow your own DNS server to handle DNS requests:

sudo iptables -I piavpn.320.allowDNS -d 10.10.10.1/32 -p udp -m udp --dport 53 -j ACCEPT
sudo iptables -I piavpn.320.allowDNS -d 10.10.10.1/32 -p tcp -m tcp --dport 53 -j ACCEPT

IMPORTANT: to prevent DNS leakage you need to ensure that your own DNS server uses PIA VPN nameservers, e.g. in case if Ipfire:

/img/ipfire/dns_settings.jpg — Ipfire DNS Settings

Visit: https://ipleak.net/ to double check.

Testing

Test that you can download a docker image with these changes:

$ docker-tags library/busybox
$ docker run -it --rm --name my-busybox busybox:1.31.0 /bin/sh
Unable to find image 'busybox:1.31.0' locally
1.31.0: Pulling from library/busybox
Digest: sha256:c888d69b73b5b444c2b0bd70da28c3da102b0aeb327f3a297626e2558def327f
Status: Downloaded newer image for busybox:1.31.0
/ #

Firewall

Ipfire DNS Settings

Testing