Private DNS/Use Secure DNS settings when using Orbot

When using Orbot as a system-wide VPN what would be correct configuration for Private DNS (system setting) and Use Secure DNS (browser setting).

If you want to route your DNS through Tor or to be able to access Onions, you should turn both Private and Secure DNS off.

If you want to have more trustworthy DNS or one that enforces DNSSEC, then you should enable Private/Secure DNS.
It’ll still route over Tor, but it won’t be handled by the per circuit exit-node, which could let the DNS correlate your requests.


I was able to access Onions with both of these settings set on default (automatic) but I disabled both of them now.

As my understanding of the network setup here , in order to access the Tor network , the work of dns is only till finding the ip address of the entry nodes. Whether you use a private dns provider or just rely on your default isp dns server, regardless shouldn’t effect the privacy/anonymity of your Tor session.
Also not to mention , regardless of using private dns or not , your isp will still be knowing that you are connecting to some tor nodes.
So i guess it will be upto your personal preference whether to use a private dns or not.
(feel free to correct this post if you feel its technically incorrect)

Tor itself doesn’t rely on DNS to bootstrap, but using Tor to access clearnet does still require working DNS.

Each circuit will have DNS resolved on the given exit nodes, and those nodes can do whatever they want with DNS.
Most of them use Google DNS.
And most of them do not enforce DNSSEC. Tor itself cannot support DNSSEC, so picking a resolver that only returns records if valid is a half workaround.

1 Like

What happens if it is set on “Automatic”?

Automatic will check if the DHCP advertised DNS server supports DoT, and use it if possible.

I do not recommend it.

1 Like