PIA VPN DNS settings

Iptables DNS workaround for home network

A simple fix to resolve internal hostnames resolved by an Ipfire firewall.

PIA blocks DNS requests not executed against their own nameservers:

$ iptabes -L -n

Chain piavpn.310.blockDNS (1 references)
target     prot opt source               destination         
REJECT     udp  --              udp dpt:53 reject-with icmp-port-unreachable
REJECT     tcp  --              tcp dpt:53 reject-with icmp-port-unreachable

Chain piavpn.320.allowDNS (1 references)
target     prot opt source               destination         
ACCEPT     udp  --         udp dpt:53
ACCEPT     tcp  --         tcp dpt:53
ACCEPT     udp  --         udp dpt:53
ACCEPT     tcp  --         tcp dpt:53

Insert the following iptable rules to allow your own DNS server to handle DNS requests:

sudo iptables -I piavpn.320.allowDNS -d -p udp -m udp --dport 53 -j ACCEPT
sudo iptables -I piavpn.320.allowDNS -d -p tcp -m tcp --dport 53 -j ACCEPT

IMPORTANT: to prevent DNS leakage you need to ensure that your own DNS server uses PIA VPN nameservers, e.g. in case if Ipfire:


Ipfire DNS Settings

Visit: https://ipleak.net/ to double check.


Test that you can download a docker image with these changes:

$ docker-tags library/busybox
$ docker run -it --rm --name my-busybox busybox:1.31.0 /bin/sh
Unable to find image 'busybox:1.31.0' locally
1.31.0: Pulling from library/busybox
Digest: sha256:c888d69b73b5b444c2b0bd70da28c3da102b0aeb327f3a297626e2558def327f
Status: Downloaded newer image for busybox:1.31.0
/ #