DNS over HTTPS

Does it matter if I’m pretty much always on a VPN connection?

If yes, what is the default protection? I mean, what does it mean that Firefox decides when to use secure DNS?

Also, why would I not want always “Max Protection”?

What exactly are you trying to understand from your end about DNS and VPNs and browsers?

You’re asking three different questions and only hinting at what you want to understand but you’re not cohesive about it. We need more exposition.

Sorry, let me rephrase.

I’ve already got an answer in the past that changing DNS provider on my router isn’t really necessary if I’m always on a VPN connection anyways. But other people in my house won’t, so the question is still relevant to me.

When I disconnect to the VPN and check 1.1.1.1 — One of the Internet’s Fastest, Privacy-First DNS Resolver , it will say I’m connected to 1.1.1.1 but never using DoH.

When I put “max protection”, it will say I’m connected using DoH.

So my question would be, what’s the benefit of not putting “Max Protection”?

image968×691 26.6 KB

Well, read the three options and details of what they do and why you may want to select either of them. If you always want to ensure your DNS is secure, then Max Protection should always be selected. But if you find other options to be a better fit for ones browsing needs, then select one of the other options.

In my view, if VPN is not always on or not always used, then always use Max Protection.

I read them all and I’m still confused.

What are the benefits of not using Max Protection. It talks about “If secure DNS is not available, sites will not load or function properly.”

Does that really happen? If so, how/why?

It is very unlikely but not impossible. It can happen if the website is brand new and some things may not be configured well or if the DNS provider records have not been updated. Or if it is a sketchy website with no security of any kind on the website.

99.9% of the time, it should not happen.

Thanks!

And to me, there are no benefots of not using it for the safety I want with my browsing. But I always use a VPN so this is not even a thing I think about.

The “Default protection” is probably there because Firefox relies on third-party DoH resolvers (like Cloudflare and NextDNS) and they don’t ever want to have the browser blamed for a third party service not working.

AS an end user and if you want to have DoH enabled, you should definitely use Max protection.

A couple I can think of:

1. Some DNS queries are only resolvable by network / system resolvers (ex: .lan, .internal, .local etc).
2. Your network may block access to DoH, in which case the client may decide to use network / system DNS.

If you want your browser to never rely on network / system resolver even if it means inaccessible websites, you’d have no trouble using Max Protection.

That isn’t the case.

What do you mean?
I’m not private to Firefox decision making, so this is why I said “probably”, but there could well be other reasons.

To answer my own question “Also, why would I not want always “Max Protection”?“, the answer would be “to prevent DNS leak”.” More on the below topic:

Edit: I’m a bit confused as I just checked Mullvad default’s and MaxProtection is enabled. As you are not supposed to change Mullvad’s setting, it must mean I am not understanding something.

Could anyone explain? Is there really a DNS leak risk if you use a VPN with max protection?

@ruihildt @ignoramous

The thread above confused me. From Proton’s site, it seems right.

We therefore strongly recommend against using DoH (and the similar DNS over TLS standard) with Proton VPN .

Meaning, I should probably remove my router config and just use the VPN at all times and install the VPN on other people’s computer in my home.

But on Mullvad Browser, it is setup as max protection by default. I don’t want to touch the setting, because of fingerprinting. So, I’m confused on what I should do.

image1132×688 31.5 KB

The DNS is not technically part of the browser fingerprint.

It is there by defaultin Mullvad Browser, because we can’t assume where and how users are going to use Mullvad Browser.

If you use a trustworthy VPN (which potentially could be looking at all your traffic), then you should trust them not to look at your DNS queries either.

If you are almost always connected to a VPN, then why would you want to enable DNS over HTTPS? I don’t understand.

Your VPN is supposed to provide you with private DNS. In my case, I have that option disabled.

But be careful, DNS over HTTPS is not a “security measure.” You are only protecting your queries.

Meaning, I should put it as ‘default protection’ instead of ‘Max Protection’ if I use a VPN all the time, correct?

Leaving Max Protection would risk DNS leak, right?

Thanks a lot for your answers

But it can be detected by websites and potentially used for fingerprinting

Because DNS is not a core part of the browser as an app (in that it is network related and more a part of the internet the app connects through/with), I don’t think it is part of browser fingerprint as they say.

Can you also explain why you think so? I want to know where you’re coming from.

Because it’s another parameter that can be detected by websites to form unique fingerprints for their users. Being network related doesn’t mean much, IP addresses are also network related.

Actually this is a good question. Even I don’t know or have a conclusive answer. Perhaps someone can respond clarifying it.