So I’ve been reading on here and noticed in the recommendations that you should always use the DNS of the VPN you’re using.
I really would love to use Mullvad and perhaps install it on my wife’s iPhone as well, however I noticed that when enabling their content blocking, some javascript files being download take ~20 seconds. (Not very knowledgeable on this subject), when I disable the content blocking its fine. To test I set up the free ControlD DNS in Mullvad custom DNS and it worked flawlessly.
Would it be a bad practice to use the Mullvad VPN with ControlD DNS in this case or do you guys have a solution for the above?
If possible you should try to report this to Mullvad (or whoever maintains the lists they use) and hopefully get it solved.
To test I set up the free ControlD DNS in Mullvad custom DNS and it worked flawlessly.
Out of curiosity, what happens when you setup Mullvad DNS as the Custom DNS (with the same blocking categories as you were using previously)? Is the issue with the JS still present?
Would it be a bad practice to use the Mullvad VPN with ControlD DNS in this case or do you guys have a solution for the above?
To be honest, I struggle to wrap my head around this topic, and I’ve been trying for some time.
As best as I can understand it there is nothing catastrophically wrong with using custom DNS with a VPN, but you are making yourself stand out a bit more, and introducing more useful metrics that could be used to track or identify you. For example:
A 3rd party server or website you visit could potentially use a bit of trickery to determine what DNS server you are using. Because the vast majority of people just use their VPNs default internal DNS, this makes you potentially more recognizable. You won’t be recognizable as @RandomGuyyy but you might be uniquely identifiable as a the only connection from a Mullvad IP address using ControlD as your DNS provider. And maybe more importantly, it could mean that when you change VPN servers, it could be easier to re-identify you (link your activity even when you change your apparent IP) particurlarly when combined with other metrics.
By using a non-standard DNS server, which uses different blocklists than your VPN provider, you introduce a potentially observable and ‘fingerprintable’ difference between you and other users of the same VPN server. This assumes that what is blocked/not resolved can be known by the 3rd party website or server. But I believe that that is a reasonable assumption. What I don’t know is if this is being done in practice, and how difficult or prevalent a strategy it is.
Introducing another 3rd party to trust.
Possibly just a theoretical risk, but when you use a 3rd party DNS your DNS queries don’t stay completely contained within the virtual private network (“encrypted tunnel”). Like your HTTP(S) traffic your DNS traffic will also exit the VPN.
If possible you should try to report this to Mullvad (or whoever maintains the lists they use) and hopefully get it solved.
I did send them an e-mail with my findings. Awaiting their response.
Out of curiosity, what happens when you setup Mullvad DNS as the Custom DNS (with the same blocking categories as you were using previously)? Is the issue with the JS still present?
This is actually a pretty good idea, I tried it on my phone in 2 different ways. I set up the ipv4 address of the Mullvad content blocker in the Mullvad VPN app and I set the URL (I think it uses DNS over TLS but might be HTTPs) as the “Private DNS” setting on Android. After that, the loading didn’t happen anymore and the results were instant. So this is a nice workaround if it doesn’t create any risks.
Edit: Just tested this by setting the IPv4 within the Mullvad desktop app, this completely kills the connection and doesn’t work . Also their page advises you not to set the DNS like this when using the VPN (because of point 4 you mentioned), so I guess I’ll wait for their response.
. Also their page advises you not to set the DNS like this when using the VPN (because of point 4 you mentioned), so I guess I’ll wait for their response.