VPNs, NextDNS, and Security on macOS

Hey friends,

I’ve recently started using macOS, and I’m trying to find out the best and most private and secure way possible to use a trustworthy VPN in combination with NextDNS on my device.

My goal is to use a reputable VPN with NextDNS on macOS without needing to run the services as root.

Here’s the problems with other approaches I’ve tried:

Mullvad + NextDNS-Cli:

So, the first approach I tried and have been using, is to use Mullvad, in combination with NextDNS-Cli, and point Mullvad’s custom DNS in Settings to 127.0.0.1. This works, but it can be a bit hacky. Moreso, I’m worried about the security of this, as Mullvad’s daemon appears to run as root, as well as the NextDNS-Cli service. Mullvad has stated that sandboxing the macOS app is on their backlog here, but who knows when that will be done, and there’s still the problem of NextDNS-Cli. (I know Mullvad does appear to support custom DNS natively, but doesn’t appear to support it encrypted, which is where NextDNS-Cli comes in).

ProtonVPN:

ProtonVPN’s macOS app appears to be excellent from a security perspective. Not only does it not run as root, but it uses macOS’ full app sandbox. The problem is, it doesn’t appear to support using custom DNS on macOS at all. Bummer.

IVPN:

IVPN sounded very promising to me, and it’s close. The biggest benefit to IVPN is that it natively supports custom encrypted DNS, so there is no need for NextDNS-Cli. Nice. The downside is IVPN appears to run as root. Haven’t been able to find word from the devs if this is being worked on or not. It’s probably better than the Mullvad + NextDNS-Cli approach, since it gets 2 root services down to 1, but still not ideal.

Anyone have any ideas about this? Been thinking about this a lot and can’t really find an ideal approach. I’m just not particularly comfortable running services as root that don’t absolutely need it, due to the potential security and privacy implications, but using a VPN in combination with NextDNS is a must for me.

The only other idea I have is Tailscale, which appears to be sandboxed and might meet my requirements here, but I’m reluctant as their macOS client is closed source, and I’m unsure if it can do NextDNS encrypted or not in combination with Mullvad. It appears Tailscale’s cli is open source, but it requires root, which gets us back to square 1…

Any ideas and help really appreciated here, look forward to hearing what you all have to say, thank you!

Did you try running NextDNS via configuration profile?

I actually did think of that, but my understanding is that running a VPN overrides the DNS set by the configuration profile. I’ve seen conflicting information though, so wouldn’t hurt to give it a test, I’ll try it and see what happens. Thanks for the idea.

I just gave it a try, but it looks like the configuration profile doesn’t work in combination with Lulu. I guess that’s out then for me.

Correct. Apple only allows one to be enabled.

I don’t use a VPN so I just have LuLu enabled and manually edited the DNS on my Mac to use Quad9’s.

@Sharply I can confirm that you cannot use custom dns with ProtonVpn. Vpn will override other settings.
One way to use is to customise the wireguard config file from protonvpn and change the dns within it. I saw it on Reddit but did not try myself.
Another way to overcome this is to use a firewall like @anon59474973 pointed out. However, Lulu is not working well with blocklists, so you need to spend a few bucks for little snitch.

Have you tried using the macOS NextDNS client that is available in the macOS App Store, that worked alongside a VPN when I tried it.

That’s not a bad thought, but my biggest concern with that approach is that it doesn’t appear to be available outside of the App Store, and I’d rather not link an Apple ID to my device due to the privacy implications. The app’s also closed source, but I would be willing to overlook that.

For the time being, I’ve tested and set-up Tailscale with Mullvad and NextDNS, which appears to work great for my use case, but its still far from a perfect solution, so I’d definitely be open to any other points and ideas.

Maybe you can look for third- party VPN clients on macOS. Not sure how many of them are around or how many are distributed outside the App Store though.

Passepartout seems to be quite respected among Apple device users. It’s open source, but only available via App Store afaik. I don’t have a Mac, but did use the app on my iPad back when I was using Mullvad with NextDNS, and it worked well enough.

https://passepartoutvpn.app/

The dev is fairly responsive (at least in my experience), so maybe you can contact him via email or reddit with your questions about whether it runs as root and whatever else.

This seems like a great option! If it’s available in the Mac App Store, that does mean it would be sandboxed. Biggest downside for me is being only available in the App Store, so it’d unfortunately require an Apple ID, but I looked into it and according to the developer, it’s part of the 2024 Roadmap. Hope to see this happen, because this might check all of my boxes.

The biggest question I have that I don’t see answered by the website is whether it supports DOH/DOT or not, because that’d also be a dealbreaker.

Since a user might have both or one of these O/S, IOS or macOS, it is best to know what you’re dealing with, when it comes to Apple Private Relay. For those who are having an issue, this might be a thorn in your side.

https://whatismyipaddress.com/everything-you-need-to-know-about-apple-private-relay

I have just tried with ProtonVpn, and it does not seem to work along with the app at first try.

image951×194 12.5 KB

I tried a few times, and it is working as expected now. Probably it is because of LuLu. There is also an open github issue. LuLu 2.0.0 doesn't play well with Encrypted DNS profiles in Big Sur (ex. NextDNS) · Issue #280 · objective-see/LuLu · GitHub

You should use Windscribe, there is an option to add upstream dns over https which you can put next dns on it and the app support custom configs if you want to use a different vpn provider.

I’m really glad you suggested this, because I had no idea Windscribe had any of this functionality.

So far, it seems to be the best option I’ve tried. I ended up giving up on Tailscale, due to the fact that it doesn’t appear to be able to circumvent VPN blocks. Also no IPV6 support and some other quirks weren’t ideal.

It’s still not ideal though. The reason is that unfortunately Windscribe appears to run as root, which is what I’m trying to avoid ideally.

I think for the time being I’ll use it, but hopefully there’s a better solution, or Windscribe can improve their app on this.

I looked more into PassepartoutVPN and it seems nearly perfect, downside being not available outside of the App Store yet. Once that comes available outside of the app store, I think that could solve my problem.

Well since Passepartout is open source, you can compile the app yourself.

AFAIK the app currently uses an API that only works if the app is distributed through the App Store. But there’s now a similar API that works for non-App store apps, which Passeportout has on their roadmap to support. So I don’t think just compiling it as is would work, I’ll have to wait for them to add support.

Can’t thank you enough though for the suggestion of Windscribe, definitely seems like the best option for the time being.

Edit: Windscribe doesn’t appear to work for me on networks that block VPNS.

Mullvad also allows custom DNS.

Try their WStunnel

It’s legacy dns only though

Not sure if it requires root privileges, but the IVPN macOS app can be downloaded from their website (both Intel and Apple Silicon builds available), so I’d assume that gets you past the AppleID requirement hurdle.

Supports custom DoH which works flawlessly (on iOS/iPadOS) with NextDNS, though I personally don’t use the feature anymore because IVPN’s own DNS blocking is quite good.

Downside is that you need an IVPN subscription, which is pricier than Mullvad’s and doesn’t give you as many servers/locations.