Thank you for that. I have closed inbound ports (removed NAT rules).
-
Even when I follow the article fully, the dig request @127.0.0.1 on port 5353 as per the configurations fails.
-
I can get a letsencrypt certificate for dns.domainiown.com if need be. Pi-Hole anyway has a web server built in.
-
My final implementation needs to have private DNS name as described here - Android Developers Blog: DNS over TLS support in Android P Developer Preview to be working over an android phone.
Could you kindly guide me on that.
I have set up Pi-Hole and PiVPN and they work seamlessly. So when I am on VPN I see DNS requests to Pi-Hole however even after disabling DNS requests to 8.8.8.8 (Fallback to Google DNS is disabled as part of OpenVPN application settings on the phone, I see DNS requests going to Google. Hence to achieve my end result of not having DNS leakage, I will need to set this up. 
