Apologies as I know this topic has been discussed ad nauseam here, but I wanted to get some advice regarding this. My desktop uses bazzite (a Fedora atomic distro). I created a fedora-43 distro using distrobox and installed my browsers (Brave, Trivalent and Mullvad) inside it, as based on what I found in these forums, flatpak versions of browsers are …lacking in a lot of stuff.
I use Trivalent with multiple profiles for my logged in websites, since fingeprinting prevention doesn’t make sense when you are already logged in I think (this information I got from the PG forums).
My devices uses Tailscale, and ControlD (both have an integration with each other). I’ve also bought the Mullvad add-on from Tailscale to allow me to access the Mullvad VPN, as I did want to try to switch to Mullvad Browser. But a couple of points are causing some issues:
While PG recommends Mullvad Browser with the Mullvad VPN, my DNS requests will leak as long as I’m not using the Mullvad Browser, since my DNS provider is ControlD (it’ll work for Mullvad as Mullvad uses the Mullvad DNS in the DNS over HTTPS setting in the browser, so my requests never get forwarded to Tailscale on my system). Granted that while I ran the tests, instead of my actual country’s servers, the dns queries were originating from ControlD’s servers in my chosen country (i.e. if I used Singapore for this test, my queries were also reportedly originating from ControlD’s servers in Singapore instead of my home country). But this is still not ideal right?
I often have a lot of tabs open (articles etc). and my browser’s are set to open the last tabs. Mullvad by default discards these tabs - and while there is a setting to change the policy to continue where I left off, PG also recommends not messing with the Mullvad settings at all.
A possible solution for 1 would be to get a PiHole, and set the upstream resolver to Mullvad DNS - but this is not possible atm due to a lack of resources to buy an always on hardware on my end.
A possible solution for 2 would be to use bookmarks instead.
Using a VPN like Mullvad also has an added benefit of allowing access to geolocked content - but ControlD solves that by allowing you to route any particular URL/group of URLS (or even all your DNS traffic) from any other country, so ControlD can also solve that. So the benefit of Mullvad is basically anti-fingerprinting (which is a big point, not minimising that).
Given the above points, does it make more sense to use Mullvad or stick to Brave only (for now)?
EDIT: Another benefit of Brave would be cross-device sync from my Android - while I don’t require it often, but it is nice to have.
It is still not clear to me what you’re trying to accomplish even with all these points and info shared.
What are you trying to do in the end? What is your threat model? Why are you doing these things like this in the first place? These questions again bring me to ask, what are you trying to accomplish?
You’re doing too many things in particular ways and that’s confusing for anyone to understand what you’re trying to get at. Seems like you know what you’re doing. And because you’re this tech savvy enough, you also likely know what Mullvad and Brave are for and how to use them and in which situations. I’m not sure there’s anything else we can share that would be a more conclusive response to your ambiguous questions (as I see it currently).
There are a lot of details about your setup that seem like they may be external/unrelated to your choice of browser.
Mullvad Browser should be used with a VPN, but if you don’t use a VPN you aren’t worse off than you would be with any other browser. And realistically, you most likely should be using a VPN regardless of what browser you choose. And when using a VPN its generally considered to be best to use that VPN servers DNS, not a 3rd party DNS.
TL;DR of the above: Regardless of the browser you choose, you probably want to use a VPN, and use that VPNs DNS servers.
So independently of browser choice, I think you need to think through how(or if) Control-D can fit into that equation or not.[1]
Control-D comes from the same company as Windscribe VPN and my recollection is they do not recommend using control-d and a vpn simultaneously.
A possible solution for 1 would be to get a PiHole, and set the upstream resolver to Mullvad DNS
That’s similar to what I’ve been considering for my own network, except my goal would not be to set the upstream to Mullvad DNS because I’d like to automatically use the default DNS of whichever specific VPN server I’m connected to. I’m not sure what would be required to implement this sort of setup and it’s beyond my current level of networking know-how (which is pretty low).
As to your original question, I’m not really seeing any specific aspects of your setup that would push you towards one browser over the other. Except what you mention about wanting your tabs to persist across sessions. I’m somewhat sure that you could change that setting in MB without it undermining fingerprint resistance but that is something you would want to confirm for yourself with Mullvad if possible. You are right, to be cautious about making changes to MB.
Maybe Tailscale has some logic that would allow you to set things up so that traffic flowing through the Mullvad VPN exit node will use Mullvad VPNs internal DNS and all other traffic would use Control-D? ↩︎
Apologies for the ambiguity in the original post. I’d been confused between the two for a week now, for whatever reason, and that really frustrated me. Now I can see I was trying to shoehorn Mullvad into my setup, whereas currently Brave does make more sense. Thank you for your reply, and also to @xe3 and @Bumbashirovich.