When using Orbot as a system-wide VPN what would be correct configuration for Private DNS (system setting) and Use Secure DNS (browser setting).
If you want to route your DNS through Tor or to be able to access Onions, you should turn both Private and Secure DNS off.
If you want to have more trustworthy DNS or one that enforces DNSSEC, then you should enable Private/Secure DNS.
It’ll still route over Tor, but it won’t be handled by the per circuit exit-node, which could let the DNS correlate your requests.
I was able to access Onions with both of these settings set on default (automatic) but I disabled both of them now.
As my understanding of the network setup here , in order to access the Tor network , the work of dns is only till finding the ip address of the entry nodes. Whether you use a private dns provider or just rely on your default isp dns server, regardless shouldn’t effect the privacy/anonymity of your Tor session.
Also not to mention , regardless of using private dns or not , your isp will still be knowing that you are connecting to some tor nodes.
So i guess it will be upto your personal preference whether to use a private dns or not.
(feel free to correct this post if you feel its technically incorrect)
@anon66890361
Tor itself doesn’t rely on DNS to bootstrap, but using Tor to access clearnet does still require working DNS.
Each circuit will have DNS resolved on the given exit nodes, and those nodes can do whatever they want with DNS.
Most of them use Google DNS.
And most of them do not enforce DNSSEC. Tor itself cannot support DNSSEC, so picking a resolver that only returns records if valid is a half workaround.
What happens if it is set on “Automatic”?
Automatic will check if the DHCP advertised DNS server supports DoT, and use it if possible.
I do not recommend it.
If my ISP’s DNS server supports DoT, will it override my VPN’s DNS?
@Lukas
only if you were using the ISP provided router as is, then potentially
but you should just specify off or a specific server of choice regardless
Which one is good?
@Banananananananana
I recommend Quad9 or DNS0.
PG has their recommendations here: https://www.privacyguides.org/en/dns/#recommended-providers
Is it safe to use their app, or should I just use Private DNS Setup only?
What app?
Just use Private DNS. It shouldn’t be unsafe to use the Quad9 app, but there isn’t really a reason to use it either. The app uses VPN functionality which is probably less reliable (IME) and would prevent you from using another VPN.
Quad9 App
I tried to set up Quad9 as my private DNS, but the save option is not showing up.,