The answer here shouldn’t be just no, and here is why:
- One of the reasons not to do it is having to trust two different entities, but I don’t see a problem with trusting NextDNS and Proton VPN. So this should be a choice for a user if they want to trust two different entities.
- The other concern that I see often is that users can be fingerprinted easier if they use DNS servers that aren’t hosted by their VPN provider. And this actually doesn’t really matter in most cases and here is why:
- All of the apps that I use and all of the websites that I visit either already know who I am or are privacy friendly, or both, and if I want to use an app or website that doesn’t know my identity or isn’t privacy friendly, or both, I will use Tor.
- There are a lot of other ways to fingerprint users, and if fingerprinting is a concern, then again, users should use Tor.
- When you use something like NextDNS, you get a lot more control and choice over what to block, and users that know what they’re doing can improve their privacy and security.
Where I think it makes sense to just use VPN provider DNS servers is when you’re using Mullvad Browser because you don’t want to stand out. And in some other cases too, but I don’t think that the answer should be just a straight-up no.
I find this statement to be confusing
“Unless your VPN provider hosts the encrypted DNS servers, no.”
because it implies:
“Unless your VPN provider doesn’t host the encrypted DNS servers, YES”
I find your second sentence much more confusing. Lets take away the word unless. Basically what they are saying is:
- IF the encrypted DNS service is hosted by your VPN service, then yes, it is acceptable to use encrypted DNS and a VPN together.
- But IF the encrypted DNS service is hosted by 3rd party (not your VPN provider) then no, it is not recommended to use at the same time as a VPN.
How would you benefit from encrypted DNS if all your network traffic goes through the VPN of your choice?
Arguably it could be a little more private with respect to your VPN provider.
But I think the larger reason people tend to want this isn’t for encrypted DNS in and of itself, they want other functionality that comes with some of the popular encrypted DNS services (i.e. the ability to use/customize any blocklist, some of the security features of NextDNS, or the Dashboards/Analytics/Logging of NextDNS or Adguard.
The VPNs currently recommended by PG all offer ad/tracker blocking as an option. I don’t think the remaining benefit of things like the NextDNS dashboard are within the scope of what PG considers when making recommendations.
Thank you for clarifying. I think the meaning conveyed by the IF THEN construct is what the author actually meant.
With respect to a recommendation I think you are probably right.
But I don’t think OP is asking for it to be a recommendation, they are are asking for the current anti-recommendation (recommending against 3rd party encrypted DNS w/ a VPN) to be more softly worded / nuanced.