VPN vs DNS?

Hi, I use MullvadVPN on a daily basis, but since there’s no option to block ads in the phone version of the app (can’t tell if it really works on desktop either), I’ve started to think about using NextDNS as a custom resolver. Now, I sorta get the basics of how a DNS works, but once we get DoH and that kind of stuff I get a bit lost.

My question is, is a VPN worth it once I get a different DNS resolver involved? Does the DNS override the VPN one? Is NextDNS reliable?

Please keep in mind:
-My use-case for a VPN is mainly for obfuscation in public networks and hiding traffic from my ISP.
-I’m only interested in using NextDNS as an ad-blocker for my phone.

Please leave your thoughts and knowledge below.

2 Likes

Another question: does it make a difference to setup NextDNS as a custom DNS through the phone settings or the Mullvad app settings? Or is the result the same?

Using a private DNS with a VPN can be counterproductive, especially if using the DNS for ad-/tracker blocking. This is because when using a VPN one goal is to blend in as much as much as possible. This is achieved when a lot of users have the same IP address as well as DNS, so it’s harder to connect to a specific person. When using a private DNS this overrides the VPN DNS resolver. Therefore you might stand out from the mass making it easier to identify and track. There is also further explanation here at privacy guides.

(if I’m wrong about this than I’d gladly be corrected by someone with more knowledge)

Mullvad has ad-blocking DNS, even if it’s not as customizable, so might be worth using that instead with the VPN.

Depending on your use case and threat model you can choose your setup. I’d go with either Nextdns or Mullvad, not both, at least not at the same time. I myself use ProtonVPN on my phone, which also has ad-blocking. On my home network I have nextdns on the router (solely for ad-blocking) since I have a very privacy friendly ISP.

Edit: some clarification

As long as you trust both your chosen DNS resolver and the VPN provider you are using, I don’t think there is any significant loss of privacy by using a separate DNS.

You will lose some anonymity since the DNS resolver you use will likely be unique compared to other people with the same IP address provided by the VPN, but in my opinion the anonymity provided by VPNs is so fragile that this is not worth worrying about much. If you’re being tracked via your DNS resolver, you’re likely being tracked by other fingerprinting methods that VPNs don’t protect against anyway. It is something to take into consideration though.

On Android, the OS custom secure DNS settings will override the DNS settings of the VPN you are using, but this varies based on OS. In principle it shouldn’t make a difference whether you set the DNS resolver via the VPN app or the OS itself, just be sure you understand which takes priority (keep in mind that your browser can be used to set custom DNS resolvers as well).