How to think about Mullvad VPN DNS filtering?

Accoriding to the GrapheneOS devs:

DNS filtering makes users stand out from other users with the same VPN unless it’s provided as a standard VPN feature which most users have activated. It’s why we recommend using VPN provider DNS filtering.

Source: GrapheneOS (@GrapheneOS): "Yes, modern macOS on their recent hardware is far more secure and has gone a long way towards moving desktop OS security closer to mobile security. It's still quite a lot less secure than iOS but far more progress has been made than desktop Linux or Windows. It's not even close." | XCancel

The problem is, in Mullvad VPN, DNS filtering is not one on/off switch, instead there are different categories of content that you choose to either filter out or not, making a custom filter profile.

Would this mean that if you end up creating a relatively rare custom DNS filter profile, you would stand out among Mullvad VPN users and be easier to fingerprint? Since there is to my knowledge no statistics on which filters are most common, is it then safer to just not use DNS filtering at all? Or is the effect so small compared to other fingerprinting vectors that it’s not worth worrying about?

Boy, GOS always seems to have a sharper tongue. Not sure if that’s good or bad.

There are 4 or 5 presets. I would just use the default one if you worry about FP.

I’m not sure I see those options. I should have mentioned that I’m on Android.

I would show a screenshot if I could figure out how to post images here. But anyway: it’s just a list of different categories of content to filter out (Ads… Trackers… Malware…), and you enable them one by one. No default presets as far as I can see.

I’m guessing they mean by enable all option as the default option as that’s what couldn’t as a “default” there.

But yeah, you’re right otherwise.

I’m not sure what it would accomplish, I doubt thats a very common configuration. I could see that being the case if there was a switch to ‘Enable all’, but the way it works you’d have to deliberately check all of the boxes one by one. If I where to guess, most people (who even bother going into settings) would filter out ads, trackers and malware, but maybe let gambling, adult content and social media through. But again, thats my speculation and there is no statistics available.

Yes. I hear you and I concur.

Let them clarify what they meant then.. I’m not seeing what they mean either.

I just did a test turning some of them on and all of them off: no change in the DNS server (IP and name), reported by Connection check | Mullvad VPN . So I guess, and that’s what I would expect from them tbh, the filtering happens “internally” without any change in the DNS server - thus, not affecting your fingerprint.

At least Mullvad considers the Ads+Trackers+Malware as the “base choice” DNS over HTTPS and DNS over TLS

Long time I haven’t used Mullvad, but as I remember you only have 5 presets, and don’t they enable one by default?

this makes sense. Also, we have to consider that in real-life scenario a website probably isn’t going to try and load malware or shady stuff to see what dns you use. They could load trackers and ads, but realistically they can’t really tell whether you blocked malware, gambilng, etc.

At least non-shady sites, you streaming website might not care.

Oh, I see, that’s the stand-alone encrypted DNS service. I meant the settings for the DNS used by the VPN servers. As @carbonated pointed out, it doesn’t seem to matter for fingerprinting.

I know that, but that give you an idea of what’s probably the most sensible and used settings,