Hello everyone, beginner here. I bought NextDNS premium almost a year ago and love it; I set it both in the browser and system wide on all my devices. I then recently bought proton VPN and thought that I could just use proton VPN with nextdns. I started reading the proton article regarding custom DNS - apparently it isn’t recommended to use PVPN with a third party DNS as PVPN already has netshield and this might cause DNS data leaks. I use windows PC and android devices.
What advice do you guys have for me? Keep my current next DNS configuration and continue using PVPN with netshield off? Or remove all traces of NextDNS on all my devices and enable netshield?
My threat model - Average hobbist who doesn’t want his data collected and being tracked.
Another related question - if I were to use a custom DNS with PVPN, do I have to enter it into the custom DNS setting inside the app, or can I just leave that blank and enter the custom DNS in my browser/system settings instead? Or it doesn’t make a difference?
I recommend you should keep using your Proton VPN’s DNS only. No other DNS should be involved in your set up. It’s a simpler way to go and set things up.
But if you do decide to use custom DNS still, you can try settings it up as you want it but always check if there are DNS leaks at https://www.dnsleaktest.com/. If there are IP’s that are showing that should not, there’s a leak. If not, you’re fine.
Honestly, it’s been a long time I used Windows and NextDNS so not sure what’s the best way to set it up. Why don’t you try setting it up directly in the ProtonVPN app itself, if you really must.
Thank you for replying. I just checked using the extended test and I only see my VPN IP and dns.nextdns.io as the hostname. Does that mean I’m good for long, or do I have to constantly check?
it depends, that consitutes dns leak which it could also make you unique, if your threat model calls for it that is and especially if you wanna blend in, disable NextDNS and use the proton dns.
If however you do want to use NextDNS in conjuction of ProtonVPN, I recommend you use their Custom DNS functionality but otherwise again depending on that (that = threat model) it should be okay. I would just asses the risk/benefits from there.
How is it a DNS leak when OP does not see their own IP or ISP info at all but only ProtonVPN and NextDNS info?
Don’t think DNS is leaking as long as their real IP is not shown.
You don’t have to constantly check but check regularly just to make sure. It is okay for now from what I can tell and understand based on what you have shared.
–
Again, this is why I don’t like to use any other DNS resolver than my VPNs. I highly recommend you stick with ProtonVPN only.
regardless of if expected or not, by defintion if the DNS returns outside of your Encrypted tunnel (eg. VPN) [In this case Proton IP and NextDNS instead of it being Proton IP and Proton DNS]. It is considered a leak
whenever that’s okay or not, a good or bad thing I stand by the advice I gave above. (which is TL;DR, Asses your threat model and then make an action based on that if needed. I go more in detail if you read it doe)
I see how you mean. Sure, by the strictest definition and technically speaking. But I’d argue not quite the case here since OP knows they are using another DNS resolver so it’s okay - still not really a leak unless your IP and ISP info is shown especially when you know where those DNS requests are going to and through.
Yeah, you’re not wrong in what you said. Didn’t mean to imply that.
Base on your preceived threat level, I would say keep using NextDNS, Proton’s DNS blocklist is nowhere as powerful or cobfigurable as NextDNS. You could still meaningfully increase your privacy by blocking tracker domains as well as security by blocklist known malware sites.
The draw back on simple fingerprinting should be negligible. Advanced fingerprint is another story and should be out of scope due to your preceived threat level.
For your second question, for mobile devices I would use private DNS setting in system, not the VPN apps.
For windows / mac / linux, I think it depends on how to implement your VPN, afaik some cobfiguration would make the VPN quite leaky, in that case you might want to fix you VPN setup first.
Bottomline is I would always set my home router’s DNS server to be NextDNS as a safety net.
yes proton’s custom dns uses IPv4 which is unenecryted but when you run the extended test, shouldn’t it return to proton as the dns still? Unencrypted or encrypted at the end of the day we are trusting proton with our traffic it doesnt make a difference.
dont be it should be fine to configure the DNS on ProtonVPN since the traffic is still routed to Proton’s Servers at the end of the day. If that is you need it, again asses your threat model and go from here.
Are you certain that NextDNS is active? Does the first line say ‘ok’ and what protocol? https://test.nextdns.io/
edit. If it’s DoH3 and ok, I’m definitely swapping out my DoQ for it.
edit2. I just realized that the test probably won’t work since the VPN’s DNS is what’s visible. Could you please check the NextDNS logs to confirm that new entries are appearing? That would be enough reason for me to test it myself.
edit3. And of course, this as well. Extended test and ONLY the VPN DNS should be visible. https://www.dnsleaktest.com/ ---- And yeah, after reading it again, it definitely won’t work. ONLY the VPN DNS should be visible.