Set NextDNS as DoH in the DNS section, make sure to add device name at the end of the doh address.
Then create a wireguard config file from ProtonVPN
Setup the Wireguard proxy and run in Advanced Mode
Select the apps you want using the proxy
In DNS settings select Never Proxy DNS
Bam, now you have ProtonVPN and encrypted DNS resolution via NextDNS.
They have a pre release version that I’m testing right now that is pretty nice, v055p.
I do remember some funkiness with DNA resolution in the current stable version, v055n.
Definitely recommend trying it out!
This should let you see two entries in your NextDNS analytics (unknown devices - your iphone, and whatever you named your android in the ReThinkDNS doh address)
Unbelievable! I just quickly set up a WG configuration to give it a try and maybe I’ll fine-tune it afterwards if I can get it to work. Well, it works!!!
NextDNS is now able to identify my phone making the queries rather than lumping all my devices and queries together under “unidentified devices”. So a major goal has been accomplished and all thanks to you!
Now, for me to fully trust this setup, are there any tests that you would recommend I run to validate that the VPN is fully working with no DNS and WebRTC leaks? Privacy and security are very important. How would I interpret those results to know this is working? I only have experience using Proton and Mullvad’s VPN apps with a custom DNS. It’s unfortunate that neither supports using custom DoH/DoQ servers or else I would never have created this thread. Their apps currently only support IPv6 addresses.
What is nice about RethinkDNS 0.55p?
Do you have any idea how to solve the iPhone’s problem then?
Why do I have to run WG in advanced mode?
What does “Never Proxy DNS” mean?
Before I even try to learn how the firewall feature works, which other WG and DNS settings should I enable or disable?
I guess for testing you could try observing network requests in termux or using adb (this might require some searching), I’m admittedly not familiar with each.
Running the wg proxy in advanced mode allows:
VPN tunnelling - per app selection to pick which ones use the WG proxy
Forcing the use of your defined DNS for DNS resolution
You could run two or more WG configs and assign specific apps to each config like browsers use Mullvad, streaming use Proton or whatever.
Simple mode selects all apps and uses the WG config for DNS
What does “Never Proxy DNS” mean?
This means only use the DNS you declare in DNS settings. If you have the off I think it allows DNS to use both the WG config DNS or the defined DNS from DNS settings.
What’s nice about 055p?
To me, nicer UI, more stable behavior with WG proxy
I’d recommend checking the subreddit. There’s apparently an issue with the VPN lockdown feature, but they just pushed another update yesterday to address this.
They have an experimental relay feature where I guess you can create your own multi hop relay with two WG configs. Haven’t tested that though
Per app / per firewall logging
Suggested settings - what im using in 055p
Firewall (Universal):
Block when source app is unknown
Block newly installed apps by default
Block when DNS is bypassed
DNS:
On device blocklists
Use in-app downloader
Prompt for blocklist updates
Show website icons: ON
Prevent DNS leaks: ON
Never Proxy DNS: ON
DNS Booster: ON
Settings:
Enable logs
Suggestions for iphone?
Beats me bro, I think that’s up to you to figure out
One note: using this setup will report a DNS leak if you use dnsleaktest. That’s because you’re declaratively using a DNS that is different than your WG server. So when you check your NextDNS profile you will see the real IP address of your device.
Further Exploration:
If you have more questions they have a matrix channel where people are testing the new releases. Check the GitHub.
I know that the developer has been working really hard at this for a while and these are pre-releases but I do think there’s a need for more user-friendly documentation on this.
Maybe I’ll reach out to see if I can help with that …
Oh also, in the apps setting of rethinkdns go through your apps and toggle off mobile and wifi access for shit that doesn’t need it (calculator, some system apps)
If some apps are being assholes with your firewall you can exempt them here as well.
I’m always curious as to why the calculator app needs Internet access. Potential source for spying?
I think PG or someone truly experienced like you should make a guide for newbies like us! I’m just shocked that neither Mullvad/Proton is very interested in allowing the use of custom secured DNS within their apps. It makes no sense. I’ve already emailed them a few times over the years and no changes have been made.
Is there a Rethink equivalent on iOS? What about on the desktop?
You can throw NextDNS onto a router directly for network wide protection.
Or use a SBC to run AdGuard Home/PiHole and find a way to setup a VPN on your router.
Lots of different means/methods to wrangle DNS, lean into some different options, test, and have fun learning! I break my home network at least weekly experimenting and my partner…. still loves me!
You don’t need a custom DNS setting for anything. For Windows there’s YogaDNS, for Android Private DNS, and for iOS you just create a profile. All of these work with a VPN.
edit. Ideally, it would be good to have one, but there are ways to manage until then…
edit2. I remembered that iOS is the same as Android. My bad.
True for Android where the Private DNS setting has authority over all DNS queries, but on iOS/iPadOS, activating your VPN tunnel overrides the DNS mobileconfig and uses whatever DNS server is specified in the tunnelling app (usually the VPN provider’s own DNS servers by default). OP’s issue is with the iOS Mullvad app only accepting legacy IPv4/IPv6 addresses for custom DNS servers instead of encrypted DoH/DoT domains. Personally I don’t have an issue with that (since you’re already trusting the VPN provider with your traffic anyway) but it’s what the OP wants.
Exactly, and I thought that was the same issue with Android too? Is the other guy correct where if I change the private DNS and use Mullvad VPN, Android will override Mullvad’s DNS and utilize NextDNS?
Yes, in my experience that’s how it works on Android. You can test it out yourself. Input the DoT domain you get in your NextDNS control panel into Android’s Private DNS section. Then connect to a Mullvad server, launch a browser and visit test.nextdns.io to check. You can also check on sites like https://dnscheck.tools where you should see something like dns.nextdns under the DNS resolvers section.
What the heck? I’ll test this out. I’m surprised this isn’t mentioned more often. Very exciting news if true. Sucks that Android doesn’t support DoH or DoQ. Why? DoT is better than nothing, but in 2025, I want to aim for DoH or DoQ.
I’ve passed all the signature tests for both Firefox (246ms EDNS DNSSEC IPv6) and Brave (56ms EDNS DNSSEC IPv6) on Android, but there is a huge difference in response time. Why?
I would prefer using Android’s Private DNS over RethinkDNS until I fully understand that app. However, I have noticed some things while testing things out.
I’m using Mullvad VPN’s app with NextDNS as mentioned earlier. The custom DNS option was still enabled in the app despite enabling Android’s Private DNS. Will this cause any problems like a DNS leak? The test does say no, but I do have two instances running. I want a set-and-forget setup. I don’t mind disabling the custom DNS in Mullvad’s app and then turning off all the features in Mullvad’s VPN app since you said Android will override Mullvad’s DNS while using Mullvad’s VPN. I am still a little worried that with an extra complication or step in this process that my privacy and security could somehow be compromised. Sort of like an increased attack surface area.
On a 5G cellular connection, everything seems to be fine. My home has two WiFi networks. One is from the ISP-supplied modem/router. The DNS test also seems to validate that things are ok. There is a problem when connecting to my GL.iNet router. That router is set up to use Adguard Home, where the upstream DNS server is using Quad9. As soon as my phone connects to the GL.iNet router, I get an error notification. It says the “Private DNS server cannot be accessed”. If I disable Android’s Private DNS, then everything is ok again. It’ll be inconvenient having to disable and enable Android’s Private DNS depending on which WiFi network or cellular connection I use. How do I address this and better optimize this setup? Is RethinkDNS the best long-term solution?
