DNS ad blockers without local VPN

I have been using Adguard and Rethinkdns since many days. However both are using Local VPN to enable DNS. If I turn on Normal VPN while using Adguard or Rethinkdns, the VPN is killing those apps and vice-versa.

Are there any apps to solve my problem of using DNS and VPN simultaneously?

I am already using dns(dns.adguard.com) through system settings.

RethinkDNS allows you to import a Wireguard config so you can use that Wireguard config’s VPN and RethinkDNS at the same time.


Would either of these solutions work for you:

  • You could choose a VPN provider that has built-in blocking functionality (e.g. Mullvad, Proton, IVPN, AirVPN, Windscribe)
  • You could use a VPN that allows setting a custom DNS (e.g. Mullvad, IVPN)

Just some more breakdowns so it would be easier for you to choose which method suits your:

  1. Some VPN providers have built-in blocking functionality, but their blocklists might be quite limited to your taste, or you don’t have options to add your preferable lists with it like with Adguard or RethinkDNS, or ability to whitelist domains (Windscribe can do this if I remember correctly)

  2. Custom DNS for VPN requires you to add trust into another entity (VPN and DNS provider, you can read more here), but if your VPN is already using a 3rd-party DNS then this is not really an issue, although I would advise you to avoid that provider. Also theoretically websites can detect that you are using a different DNS than other people who use the same IP address of that same VPN provider, but it might not be among your threat models.

  3. If you use Adguard, they also provide a way to use with their own VPN service at the same time (speaking from personal experience, I’m having a license of their VPN until 2026 but I rarely use it since their speed and client apps/softwares are not as stable as Mullvad). However, their blocking app cannot distinguish which domain comes from which app, unlike RethinkDNS, unless you use their “HTTPS Filtering” which means you have to install their root CA (Certificate Authority), in which I would advise to strongly avoid as they practically become a MitM that can inspect all of your HTTPS connections.

  4. RethinkDNS with Wireguard VPN config can use that VPN’s DNS at the same time, you have more blocklists to choose, and their app allows you to block/allow domain at per-app level so it’s more flexible than Adguard. However, you need to choose VPN provider that allows you to export Wireguard config. You can only import Wireguard config manually so it’s more difficult to change location freely comparing to your own VPN app. Also you can only use that VPN’s DNS in Simple mode. If you switch to Advanced mode to have more fine-grained configuration to exclude which app to run through that VPN’s connection, the DNS will fall back to your DNS choice inside the app.

4 is my set up right now.


As far as I know rethinnkDNS allows wireguard as a proxy but not as a VPN, which is quite different.

VPNs like IVPN, Mullvad, allow for custom DNS but on Android they only allow unencrypted DNS so you’ll have to use their IPV6 DNS address or use a public unencrypted server.

Android’s private DNS can be used with a VPN but as far as I know the DNS requests are sent via DoT first and then the data is encrypted through the VPN tunnel so you can choose that if you don’t mind your DNS requests not being within a VPN’s encrypted tunnel.

Only VPN that allows for custom encrypted DNS through its VPN app is IVPN on ios. I’m not sure why the ios version of IVPN can do this but it’s the only one I’ve found so far that can.

True, not the same. Rethink runs WireGuard to only route TCP/UDP traffic and drops all others. This usually covers all usecases one might desire from a “public VPN” like Mullvad, Proton, iVPN, WindScribe etc. and of course not desirable in “private VPN” setups.

Most folks are likely thinking of “Proxies” when they imagine these “public VPNs”:

  • Hide IP address from remote webservers.
  • Change geo-location.
  • Encrypt Internet-bound connections.

Curious, what use of a public VPN you have in mind that “WireGuard-as-a-proxy” wouldn’t cover?