Is using cloudflare with a VPN on safe?

Basically, I tried the mullvad Connection Checker and it said I had a DNS leak (I use Cloudflare as my DNS provider), that being said, the IP address on the leak is not my real IP and its not my real location either.

Does this mean I’m safe? Is it a security risk at all? And is cloudflare safe to use under a VPN in general?

Id really appreciate some clarification here.

In case it wasn’t obvious, DNS leak just means that Mullvad has detected that your DNS servers are not ones belonging to Mullvad, meaning that when you navigate to a website, the request for where to find that website is being sent to a third party outside Mullvad, introducing the risk that while Mullvad isn’t logging your network requests, this third party might be.

Unless you have a very specific reason not to (such as wanting highly-configurable content blocking with NextDNS instead of the basic options that Mullvad provides), you should generally use your VPN’s DNS servers while connected to the VPN. That way, you only have to trust one company (your VPN provider) with your internet traffic, as opposed to them and a separate DNS provider.

In addition to increasing the number of parties you have to trust with your internet traffic, what Mullvad’s connection check demonstrates is that websites can see that your DNS servers are not the ones associated with your VPN, so websites could attempt to single you out as a Mullvad user with Cloudflare DNS rather than simply being another Mullvad user, adding a data point that they could use to re-identify you across browsing sessions.

It’s likely not an imminent danger as websites would have to be specifically looking for this discrepancy and in most configurations, Cloudflare themselves are probably receiving your VPN IP as the only piece of identifying information they could associate with your requests should they choose to do so, but in most cases you’re still better off just using your VPN’s DNS servers due to the above risks.

11 Likes

Really helpful man thanks a lot! Have a great day

1 Like

I really don’t understand why you would use cloudflare dns in the first place… it doesn’t really block anything except malware, and it’s not even that privacy-friendly. the ONLY benefit i can think of is ECH, but that’s it

1 Like

To be honest I didnt know that to use mullvads own DNS you had to disable DNS over HTTPS on firefox.

1 Like

Best practice here is just to use your VPN provider’s DNS servers. They see everything anyway, so you’re already trusting them with that data.

No need to trust a third party, and in the case of someone else on the provider making the same request, the query will likely be cached on their servers.

1 Like

This depends on where you’re located: there are several countries where Firefox set Cloudflare or NextDNS DOH by default.

So if that’s the case, then yes, you need to disable the default DOH.

Because it’s literally on the recommended DNS providers section of this website:

https://www.privacyguides.org/en/dns/#recommended-providers

That’s really intended for use cases where you’re not also using a VPN as well. Remember that quite often there will be leaks (SNI, OCSP, comparisons to CT) to your privacy around the data you’re sending that are not your DNS queries.

If you’re using a VPN you should be using your VPN server’s internal DNS servers. DNS is recursive, let them forward the request up to wherever it needs to go.

The only real case where you might not do that is if you have some requirements of blocking where you need to configure what is blocked and don’t want to run a resolver. Then you need to use a service like NextDNS.

Excellent that this forum is populated with experts !
debts of gratitude here and why Privacy Guides needs to continue … Thanks to all the Team Members, you are imparting much essential info !

1 Like

Link please …