I got this idea when I read that Mullvad had added a new feature. I managed to get DoQ working through YogaDNS with ProtonVPN. It feels faster than DoH, and several speed tests have confirmed it’s not just a feeling..
But now I’m wondering if I’ve made myself completely unique and easy for everyone to identify? Or does it even matter whether I’m using DoQ or DoH?
Finally, a few tests. I’m on a 1000/500 connection.
Also, I am wondering at what point your DNS is the limiter than your internet bandwidth with what internet speeds you get and if that’s something can be factored.
I think the answer to your question lies in the difference between DoQ and DoH. I am not technical enough to answer that with confidence so I’ll leave that for someone else. But it’s a good question.
Albeit, I’m curious, why did you want to replace ProtonVPN’s DNS with yours? And which DNS resolver are you using then?
I’m on Windows 11 Pro, and the reason I use YogaDNS is because without it, I can’t get AdGuard, since that’s how I get all of HaGeZi’s blocklists. So yeah, ProtonVPN’s Netshield isn’t even close to enough…
Maybe I’m mistaken here but if your connection to the Proton DNS is already encrypted by the vpn tunnel doesn’t make the need to have encrypted DNS less useful compared to DNS requests without a vpn?
In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your threat model. We do not suggest the use of encrypted DNS for this purpose. Use Tor or a VPN instead. If you’re using a VPN, you should use your VPN’s DNS servers. When using a VPN, you are already trusting them with all your network activity.
So, if you’re trusting a vpn with all your traffic using a third party encrypted DNS it’s not only quite useless but also counterproductive because you stand out for fingerprinting without any privacy gain. You could argue the use of filtering lists but that’s not an encryption problem.
But I don’t know if it makes you more fingerprintable because VPN does not obfuscate fingerprinting to begin with nor does encrypted DNS. They are both used for different purposes.
Some DNS resolves however have extra features and whatnot like NextDNS or AdGuard that you may want to use. I don’t recommend it but there’s a use case for this too that works for some. I’ve tried it all ways but I always end up coming down to keeping it simple and letting your VPN do it all systemwide.
From your ISP POV you stand out because it sees your connection to the vpn AND the DNS queries to a third party DNS provider, a much smaller pool of users.
DNS can only impact the latency to connect to a server due to the lookup time. It will not and cannot directly alter your transfer speed.
(With the exception of an ECS resolver which can pick a closer CDN PoP to use at the cost of disclosing your (partial) IP address to the nameserver.)
No, the ISP would still just see the VPN connection since the DNS would go over the VPN if you’re using any proper client.
I’m pretty big on security. Proton’s Netshield is useless to me. You need three layers of protection: 1. Ad and tracker blocking in the browser 2. Proper DNS protection, like HaGeZi’s Pro++ and TIF at a minimum 3. A firewall configured to block everything except what you specifically allow. So yeah, I’m not really worried that I’m a bit easier to identify because of my DNS.
