I searched for these topics but didn’t find much about them here on the forum. I read the PG topics, and it was through reading them that these doubts came.

Ok, let’s see if I understand correctly about how to make good use of DNS or VPN:

DNS DoH or DOT encrypts the DNS query on entry and exit, and this ensures that my ISP does not have access to the content I am accessing, right? If so, then only with a 3rd party DNS can I get more privacy from my ISP.

Now about VPNs. In addition to ensuring that my ISP does not have direct access to what I am accessing, the VPN also encrypts the content of the traffic, which is good on public networks or mobile networks, right? So if my threat model doesn’t include my privacy from the websites I access, but does include privacy from my ISP, and I’m using my local network (which I trust), then DNS will be more useful than VPN, right? (Even though the VPN also has a useful DNS built-in)

Now again about DNS. In addition to encrypting queries, some DNS also protect against tracking and ads, in addition to blocking malicious websites. In this aspect, the main problem with combining VPN + DNS is the fact that I will differentiate myself from other users, making the fingerprint process easier, right? Does this also include PiHole self hosted?

Now the last topic. The biggest advantage of the self-hosted pi hole is that I don’t need to pass my traffic to another DNS, so I will have one less person to trust? Would this be a difference, for example, in using a self-hosted pi hole vs a Quad9? (Even though we know that the pi hole on LAN will work for all devices, so let’s disregard that part).

No… You still have to use a VPN to hide your network traffic from your ISP. Encrypted DNS provides very little privacy protection at the moment, to be honest. This is because of other things which leak the domains you’re visiting besides DNS, like Server Name Indication (SNI) which there are lots of posts on this forum and elsewhere about.

The main benefit of Encrypted DNS is ensuring your ISP can’t tamper with your DNS queries. As stated in our DNS Overview:

Unencrypted DNS requests are able to be easily surveilled and modified in transit. In some parts of the world, ISPs are ordered to do primitive DNS filtering. When you request the IP address of a domain that is blocked, the server may not respond or may respond with a different IP address. As the DNS protocol is not encrypted, the ISP (or any network operator) can use DPI to monitor requests. ISPs can also block requests based on common characteristics, regardless of which DNS server is used. Unencrypted DNS always uses port 53 and always uses UDP.

In the future encrypted DNS will provide more privacy protections, once technologies like Encrypted Client Hello are more generally available. However, even eDNS+ECH does not provide privacy protections in all scenarios. Using a VPN will likely always be the only solution when privacy from your ISP is a requirement.

In theory yes, this is true. In practice, merely using a DNS provider separate from your VPN provider will probably not make you very unique on its own (or at the very least would be challenging to detect). However, if you block domains on the DNS level that may make you more fingerprintable and would be easier to detect (this would include with Pi-Hole).

Sort of, but not really. Pi-Hole will still query other servers to resolve queries it doesn’t know about in its cache already, so it doesn’t really provide privacy protections there. The main advantage of Pi-Hole is that you can configure the blocklists yourself, because most DNS providers (besides ones like NextDNS) don’t provide many options for allow/block-listing domains on an individual level.


Been usin NextDNS for 1 year. Works so well does its job

1 Like


I definitely hadn’t understood about SNI before. Now that makes more sense.