VPN or private DNS or privacy ISP?

I did search different forums, but could not find sufficient answers to my questions below.

I live in an eyes country in Europe.
I have a privacy respecting ISP (actually true), as far as the law lets them.
Today I have Mullvad together with a private DNS via nextdns.

  1. On Protons website, they claim that a separate DNS provider when you use a VPN is redundant. But I see alot of people here who use it. There should be a clear winner here, but I can’t seem to find an answer to it. Is a separate private DNS redundant when using a VPN ? Or does it just make you stand out more?

  2. I trust my ISP, that they are not snooping, and that they hand out data, when there is legal ground for it. Would you use a VPN anyway, or would you just use a private DNS? The main reason for using a VPN is to hide from your ISP right?

My main reason to use third party DNS is blockists and custom rules to block or allow sites. I am using Control D for that. VPN‘s own DNS server are not good enough to do that.

1 Like

If both the VPN and the DNS are on the same machine, there’s a fair about of redundancy, depending on the setup.

If the DNS is only on the browser, then what’s happening in the browser goes through the DNS, but what’s happening outside the browser goes through the VPN. For example, you’re using a desktop email app instead of using email through your browser. In that case, the email is going through the VPN.

The way to have both layers at the same time is to have one set up on your router, and the other on your machine. But for the majority of people that’s overkill, unless you want to take advantage of the custom blocking with DNS, which can be very good.

I’ve experimented with that before. I keep permanent ‘kill-switch’ VPN in my router, and when I added DNS to my desktop machine it helped to block ads that I otherwise had trouble blocking. These days I only use the router VPN, in order to keep my setup a bit simpler. It’s easy to make things more complicated than they need to be.

Normally, one or the other is enough for most people. But if certain ads (which your browser ad blocker isn’t stopping) are driving you nuts, DNS is good.

1 - The most common reason it is typically not recommended to use a separate DNS provider with your VPN is that you risk exposing your browsing activity through DNS leaks. This can occur when DNS queries are not routed through the VPN’s encrypted tunnel, potentially revealing the websites you visit to your ISP or other third parties.

2 - See the VPN Overview.

2 Likes

Wait so, if I have DNS configured on my router and I use a VPN, I might have a DNS leak?

Should I remove the DNS setup altogether from my router and just always use the VPN then?

Even if you fully trust your ISP, you can’t control when your IP address changes. You’ll also still be vulnerable to DDoS attacks against your home router. Plus they’re useful as well for connecting to a website from different regions if you want to bypass certain restrictions. Plenty of uses for a VPN outside of hiding your traffic from your ISP.

1 Like

Yes its possible. I am not knowledgeable enough to say one way or another whether it is probable but it is the typical reason its not recommended. For example Proton and Mullvad both say not to.

EDIT: @win11.shading291 re-reading this and I think if you have a DNS configured on your router and you use a VPN on a specific device, the VPNs DNS is going to override the one your router is using unless the VPN is specifically configured to use that DNS. You could always do something like a nslookup to check which DNS is being used.

This might be a good subject for @jordan to consider doing a brief video on. As I see lots of VPNs say this but they don’t go into detail about the risks.

I can’t say one way or another, I personally do not use a private DNS with my VPN as I rather just have one party to trust instead of two (the vpn provider and the dns provider). Others such as Techlore choose to use a private DNS with their VPN.

Hopefully one of the other more knowledgeable users (some of whom work on VPNs or are devs of DNS) could answer this question.

2 Likes

Thanks!

Pinging @ignoramous :slight_smile:

Most of the suggestions (including yours) on this thread are on point.

If your VPN tunnels are setup as instructed by the public providers themselves (ex: setting up their apps as laid out by them), especially the ones that are privacy focused (like the ones oft recommended here, Proton, iVPN, Windscribe etc), it is unlikely (not an impossibility) you’d end up with “leaks”.

You can always check for “DNS leaks” (in the steady state) using web-based services like which.nameserve.rs, dnscheck.tools, browserleaks.com/dns etc. Easy to use, but these tools are prone to false positives. And most importantly, these tools won’t proactively help detect “leaks” due to edge cases (not steady) and/or misconfiguration as they happen.

On some platforms (like Android), OS-enforced “kill switches” exist to prevent leaks (of not just DNS but all network traffic) in both steady and non-steady states. On other platforms (like iOS), the OS reserves special treatment for privileged apps (like that of Apple’s).

2 Likes

Great, that’s what I was thinking!

Thanks! I checked all 3 and they seem to give the expected result.

I’ll assume everything is OK.

I like to keep the DNS configured for the other people in my home that don’t necessarily use VPNs.

1 Like