Hello there. I am writing this to suggest that PrivacyGuides not recommend using the Secure DNS / DNS Over HTTPS feature on the browser recommendation and configuration page. The reason for this is because this feature causes DNS Leaks when using a VPN.
(Note that the DNS Server’s ISPs aren’t saying ProtonVPN, Datacamp, Cogent, or literally anything else except for the DNS Provider selected on the other tab)
There is also the fact that all three VPNs recommended by Privacy Guides [Mullvad, ProtonVPN, and IVPN (page hosted by IVPN)] all specifically recommend to not use this feature.
If this website wants to continue recommending it anyways despite these issues, it should at least provide a warning as to the issues that could occur with VPNs when using these features or when changing the DNS on device in general, as there is currently no such warning on many pages where it would be useful, such as the browser recommendations page.
Sites can detect what DNS resolver you are using, and if they notice a VPN connection with a DNS resolver different than other VPN users, then they can more easily identify you.
When you are using a VPN, only your VPN Provider should be able to tell what websites you are visiting. However, if a DNS leak occurs, that information gets sent to a DNS Resolver that is not ran by your VPN, which is not supposed to happen.
I think it depends on your threat model and what you’re trying to protect against.
DNS over HTTPS (DoH) is useful to bypass dns filtering services and to protect against web activity logging on networks that may block or restrict vpn.
There are already plenty of services out there to determine if your traffic is originating from low-cost vpn solutions, or tor-exit nodes, so i wouldn’t be overly concerned about that fingerprinting personal.
I think it’s good security and privacy practice to recommend DoH to the general audience members, but individual’s threat models may differ from person to person and they should use what makes sense for them.
This should not be necessary. Every VPN provider PG recommends already explicitly recommends people not to use other private DNS services when using their VPN as OP states.
It is not in the scope of PG to remind people to make sure they are using recommended tools correctly or to read the material already provided by the tools themselves.
If someone wants to make a Community Guide re-iterating that using a private DNS option in your browser may cause issues with your VPN, go for it.
In the end, if people are relying on PG instead of reading the material provided by the tools themselves or are changing settings they don’t understand that PEBKAC.
I also think there is an issue here where @hydrogenperoxide assumes most people have a threat model that requires using a VPN.
I respectfully disagree with your assessment, however, I would like to state that I am not directly against changing the DNS Resolver at all. I merely disagree with changing it on device because your on device implementation could interfere with your VPN if you are using one. Changing it on your router is fine because it does not directly interfere with any VPN implementation you might be using.
The reason why I disagree with recommending using DoH on device is because there is a far less risky method of changing the DNS Resolver (via the router), and that recommending a more riskier option that introduces the possibility of user error is a bad thing, because people make mistakes. I understand however if people do not share my exact viewpoint, in which case, all I ask is that the risk and issues that could occur when using DoH is clearly outlined and stated on the pages it is recommended on.
I also do not believe this is the same as services detecting what VPN or Tor exit node you are using. This is because I believe there is a very strong difference between being able to detect what VPN or Tor exit node someone is using (which multiple people could be using at once), and being able to identify a specific VPN user by looking at what DNS they are using.
I disagree with this assessment. This diagram merely suggests that using encrypted DNS with a VPN is something that probably should be avoided. It doesn’t unequivocally state that you SHOULDN’T use encrypted DNS with a VPN, nor does any other page do this (the VPN page also states that you probably shouldn’t, but it doesn’t outright state that using both is wrong, nor does it clearly outline the risks with using both at all, like DNS leaks)
I also disagree with the statement that this is a DNS leak as not only does this cause information to get unintentionally sent to parties that are not your VPN (you may not realize your DNS queries are being set to your custom DNS and not your VPN), but also because every major VPN provider says it is a DNS leak. Just look at the support page for any VPN provider (whether it is Proton, Mullvad, IVPN, or even less reputable VPN Providers like Express or NordVPN), and they all say the exact same thing: Using DoH causes DNS leaks, don’t use it.
It is true that dnsleaktest is run by IVPN. The reason why I used that site was to get a photo describing what I am talking about. You can use any VPN test website that tests your DNS and any DoH Provider and you will come to the same result (For instance, the reason why I discovered this was because I noticed using NextDNS in the browser would cause a DNS leak if I turned on my VPN).
Using DoH on device depends on well, what device you are using and how good it’s implementation. For instance, I found Window 11’s DoH implementation to be rather unreliable, as although it works fine on my PC, I found that on my laptop, it either doesn’t work (it constantly flip flops between my ISP’s DNS and the DNS I set it too), or it causes a DNS Leak with a VPN running. As for if it causes a DNS Leak if you are already using the VPN’s DNS Provider, it technically doesn’t, but that’s just because you are already using the VPN’s own DNS Provider, and not because it doesn’t cause DNS Leaks.
I personally believe the best way to change the DNS is to change it on your router only, as it removes any risk associated with using your on-device implementation and it removes the possibility of user error.
I disagree with your assessment. PG is a website that is often geared towards (and used) by beginners. Just because every VPN provider already warns not to use encrypted DNS with a VPN doesn’t mean every reader of this website will know that. In order to learn about this danger, you still have to go through the VPN Provider’s blog or support page and find the page that specifically warns against doing this, which most people will not do. In fact, they might not even be aware of the existence of DNS leaks or the possibility that their VPN could leak information at all.
In the end, I believe that if this site is going to recommend a specific tool, it should either warn of the risks or dangers associated with using said tools (such as DNS leaks), or not recommend them at all, as recommending a set of tools while not telling them what could go wrong is simply reckless and puts people in unnecessary danger that could easily be avoided.
I also do not believe that most people have a threat model that requires a VPN. However, if their threat model does include a VPN, they should be warned of any compatibility issues that could occur when using other tools recommended by the same site they are using for advice (such as with DoH and VPNs), that would ultimately conflict with their threat model.
I mean, I just feel like the DNS Overview page on PG already states this pretty clearly… unless I’m mot understanding some finer details. But reading it, I understood quite clearly why you would and would not use DoH
This just states that you should use encrypted DNS to bypass censorship and filter ads. It doesn’t mention anything about VPNs or DNS leaks or anything like that.
The only page on this website that gets anywhere near close to stating that encrypted DNS shouldn’t be used with a VPN is the VPN overview page, and even then, it just says “you probably shouldn’t use DoH with a VPN.” It doesn’t outright unequivocally state “Using DoH with a VPN causes DNS Leaks. Do not use DoH with a VPN.”
I would say dns leak is also when your ip is vpn’s ip in one country, but dns ip is in another country. Most services wont care, but some do. https://thesafety.us/check-ip test it here
