modDNS closed beta - DNS-level ad/tracker blocking by IVPN

Hello everyone in the PG Community,

We’ve been working on standalone privacy tools to complement the IVPN service, and this week we are launching our next project modDNS in closed beta. Extending an invite (with some gifts) to the Privacy Guides community made sense before official announcements.

modDNS is a DNS filtering service that blocks ads, trackers, and malicious domains at the DNS level with granular controls over what gets filtered. You can set it up system-wide on any OS, within IVPN apps, or directly in browsers. It supports DoH, DoT, and DoQ.

What you get in the beta:

• Configurable blocklists: curated combinations or community lists (Hagezi, OISD, AdGuard, StevenBlack, etc.)
• Custom rules: allowlist and denylist specific domains, with allowlist entries overriding active blocklists
• DNS profiles: multiple configurations with unique identifiers for different devices
• Query logging: optional, disabled by default, with configurable retention periods

The codebase is open source. A security audit by Cure53 was completed before the beta launch, with no high or critical vulnerabilities found across a six-day assessment by four senior testers. The full report is available.

Registration starts in the IVPN My account area. After completion we discard the association between the IVPN account and the modDNS account. This means we can’t recover modDNS access through IVPN if access is lost. A formalized trustless system for this separation is in development and will be open-sourced by the time we go out of beta.

modDNS is part of a broader direction for IVPN. Mailx for email aliasing is already available in beta and we now operate Portmaster+SPN for application-level firewall controls. We feel that these services fit together naturally into a new profile. No plans to expand into services like calendar, data storage, etc.

What’s coming in the next couple of weeks:

• Ironing out edge case network routing issues and adding more server locations (currently serving from Amsterdam and Toronto)
• Service-level blocking (Facebook, Amazon, Google, etc.)
• Category blocking (adult, gambling, etc.)
• Statistics page

This is a beta, so occasional downtime or rough edges are possible.

How to get access

modDNS is currently available to IVPN Pro customers with one year or more remaining on their current plan. Check the modDNS tab on your IVPN account page if you are eligible.

If you want to test modDNS but are not an IVPN customer or don’t have a year on Pro, we are giving away five one-year IVPN Pro vouchers. These give you access to both modDNS and Mailx right away.

Requirement: at least Trust Level 2 on Privacy Guides forum.
Just message me, first five receive a voucher in reply. I’ll update this post when they’re gone.

Feedback

We would like to improve and create an outstanding service, that’s only possible if we have user feedback. DM me here, post in this thread, or email moddns@ivpn.net. Bug reports, feature requests, blocklist tests, performance notes, all welcome.

A full blog post with additional details will follow.

Looking forward to hearing what you think.

Viktor / IVPN

We leave the invites to the community but definitely going to try this out.

@viktorivpn I would love to try this out!

Messaged you!

Hi Victor,

Just curious about the origin of the name.

Is this IVPN’s equivalent of NextDNS and AdGuard DNS? If so, how is it better? How will modDNS compete with these services in the future?

No special meaning, we had a large pool of options and internal voting and discussions surfaced it as the front runner. You can “modify your DNS resolutions” with it:)

In short, yes.

How is it better → The biggest thing right now I’d say is trust. We have a great track record in honoring privacy commitments, you can create an (IVPN) account without an email, pay with anon friendly payment options. The service is audited and open source.

This is not a novel service, but an important one in our customers’ (and our) toolkit. We acknowledge the best competitors, including those you named, have pretty mature products. We have a way to go to catch up and then find ways to do even better, we will focus on that in the next 12 months in terms of features and performance. For the time being we won’t offer it as a standalone product, only to IVPN customers.

5 Vouchers are gone, thanks everyone for your interest in testing modDNS!

Looking forward to testing this. I’ve been trying out NextDNS, AdGuard DNS and ControlD the past couple months to see which works best for me. Each seems to have something I don’t like about them, so it’ll be interesting to see how everything is set up and looks with modDNS.

Also, if I remember correctly, there are going to be pricing changes in Q1 for IVPN? Are you guys planning on ever releasing premade bundles or mix-and-match bundles with your various services?

Looking forward to trying this when it becomes available for signups. As someone who has tried NextDNS and AdGuard DNS, I hope you will allow for the importing of custom filter lists. Hagezi offers some block lists that are perhaps niche, but are not offered as a default option in your competition.

NextDNS does not allow users to import custom block lists. AdGuard now does, but is capped at 1000 rules total so larger lists are not an option. Not sure about ControlD.

Just wanted to provide my feedback as it is an aspect (user customization control) that seems lacking at times from other DNS services.

We had the same experience, which was a strong push towards us building modDNS. Looking forward to hear more about what you like about it and what we should change.

Yes, this is in the works, we need a bit more time - Mailx and modDNS beta testing phase has to conclude first. We plan to have a VPN-only plan and two bundles replacing our current tiers, but not mix-and-match. Details are not final yet so that’s all I can share at this point.

On your servers? RTT, traffic is somewhat wasteful. Blocking could be done on a local forwarding DNS server with FakeIP or total empty response.

It’d be cool to see domain sniffing functionality. Such usecase would be more useful for PBR, but i can imagine some people wanting to make their own filtering. So essentially what RethinkDNS offers with its logging or better yet sing-box.

What exactly do you want to be tested? Or is it simply an ad?

Any update as to when the transition to RAM only servers will be complete?

Thanks for the feedback. We have evaluated this, there are tradeoffs around usability (list processing and omissions), resource abuse, preventing injections etc., it’s not a quick addition. We understand the need for it and it’s on our roadmap, but it’s not prioritised at the moment.

We have a couple of RAM-only servers live, currently:
ar1.gw.ivpn.net - Buenos Aires, Argentina
us-az2.gw.ivpn.net - Phoenix, Arizona, US
us-fl2.gw.ivpn.net - Miami, Florida, US
The replacement process is not straightforward as our new infra is building on previously untested concepts (we will detail this when we are further along the process). We decided to postpone the continuation of the rollout to focus on projects that bring more day-to-day value to users.

Right now the whole team is working on completing the new service launches and rolling out new pricing. When it’s done we’ll shift our attention back to VPN infrastructure.

In the spirit of transparency, this is a promise from 2025 we did not keep fully as we expected that shift back to happen in Q3 or Q4 last year.

Ok, I’ve skimmed through the code and understand the gist of it. I thought that this app will configure DNS filtering on your end for some reason.

• I hope your forwarding DNS isn’t configured to fallback for plain DNS as downgrade attacks will be possible.

• OpenWRT integration is kind of a given for such a project, but I’m unsure about it’s usefulness as iVPN doesn’t offer a VPN client.

I think it’d be a nice additional feature to a VPN client, but integrating it with the other VPN clients without breaking the routing will be painful. (you need to downgrade DoT, DoH or even DoQ to enforce filtering) I think that this product as a standalone thing deserves to be living on a router, but there are already infinitely more capable things that can do PBR filtering and routing such as sing-box out there.

I was just wondering whether the DNS that’s being introduced here will eventually be made the default DNS for all Standard/Pro users?
Some people say that if your DNS settings stand out, it can make you easier to fingerprint (ref). So I’d like to understand the pros and cons of using this feature, especially whether it could make me stand out compared to other IVPN users.

Also, if you can, I’d like to know how modDNS sees the risks of fingerprinting when using custom DNS filters or rules.

Would it be system-level DNS ? That would be very cool, like Rethink DNS

note: meant to edit instead of delete, reposting

This is not planned, but can be considered (as a baked-in option for example in IVPN apps as a first step). For the foreseeable future this will be an opt-in service available to Pro subscribers, and IVPN DNS and modDNS DNS run separately.

As with many questions like this, the right answer is “it depends (on your threat model)”. We are aware of this problem and agree with PG recommendation that you should use the VPN provider DNS unless you have a good reason to do so. Using a different DNS does make you stand out vs other IVPN users in this specific consideration, but some of the other users will use modDNS as well.

As Jonah put it you need to decide whether gaining these extra capabilities is worth the tradeoff. We don’t have first-party research and data on “how much better can websites fingerprint you Scenario A vs. Scenario B” to help with evaluating the severity of this issue. If you are concerned about this go with the safer choice.

This is worth adding to our FAQ so will make a note of that.

This is a remote resolver, OS-level interception and per-app controls are handled by a separate layer. For that we have Portmaster in our stack, where you can add modDNS as a custom resolver. However, Portmaster is currently available for Windows and Linux only.

Here to ask the same thing. Current NextDNS user (and loving it).