Currently i am using custom dns over tls with vpn. In dnsleaks i see my vpn ip and my dns ip, so no leaks there. But since DOT requests are outside the tunnel, i think that ISP can see ip addresses of the sites i visit, so it defeats the purpose of using vpn. Am i right? And if i am is it possible to push DOT though the vpn tunnel?
1 Like
Iâm not a pro in networking, but my understanding is that if youâre using an actual VPN (over OpenVPN/Wireguard/IPSec/IKEv2/etc protocol) everything should tunnel to your exit point and get routed anywhere from there. At least thatâs the conclusion i came to in my experience.
If youâre using a commercial VPN service that should be the case, but if youâre self-hosting there might be complications if you deviate from the defaults.
Iâd be glad to be fixed if iâm mistaken.
I am using Protonvpn+Nextdns over tls in my router and Windscribe+Nextdns over tls in my android phone.
With the same caveat as the other person (I am not an expert) I think you may be misunderstanding some things:
Currently i am using custom dns over tls with vpn.
For what reason are you doing this? There are decent reasons you migh optionallyt choose to do this, but you should be clear on speciifically why, what problem you are trying to solve. Using DoT in combination with a VPN is not necessary, does not improve privacy or security in most respects (compared to using the VPN providers DNS servers), and does add complexity, so if you are going to do so, you should have a clear reason to.
But since DOT requests are outside the tunnel, i think that ISP can see ip addresses of the sites i visit, so it defeats the purpose of using vpn
Am i right?
I donât believe so.
First off, I donât believe it is true that your DoT requests are outside the VPN tunnel unless you have specifically set it up that way. But âthe tunnelâ only exists between you and the VPN provider, all traffic (whether HTTP or DNS) is outside the tunnel once it leaves the VPNs exit nodes. If you are using a VPN I believe all traffic regardless of protocol is encrypted between your device or network and the VPN, and all traffic is outside that tunnel for the second half of its journey (VPN provider to remoter server which could be a web or DNS server)
But regardless of whether your DNS traffic is passing through the VPN tunnel or not, the ISP should not be able to see the contents of that traffic (because you are using DoT, which is encrypted). So if your ISP can see your DNS traffic, they can see the IP address of your DNS provider, but they canât see the IP addresses of the sites you visit just from observing your DNS traffic (because that traffic is encrypted regardless of whether you use a VPN or not.
2 Likes
Wow, thank you for detailed answer!
I am not an expert in privacy or networking fields, just trying to find whatâs best for me.
The reason i am using Nextdns is the ability to filter dns traffic. Something like systemwide Ublock origin tuned for every device that i use.
Vpn is for hiding all the traffic from isp.
Ia am not trying to blend in the crowd or to resist fingerprinting. Just to filter dns and to hide my web activity from isp.
This is valid
I use NextDNS in combination with a VPN, but I do so because I like the control panel/logging and the flexibility, not just the content filtering.
IF content filtering is the only reason you are using NextDNS there may be a straightforward, robust, and elegant solution. Many VPNs have content filtering built in. I believe this includes all of the top VPNs from this sites VPN comparison. If you go with one of these VPNs (e.g. Mullvad, iVPN, Proton, AirVPN, Windscribe) you can kill two birds with one stone, and do so in a more robust way (content filtering and hiding your traffic from your ISP). This assumes that you use your VPN 100% of the time. One advantage of this is that dns queries and content filtering happens within the virtual private network.
Another possibility if you are technically inclined. Since you donât care about âblending in with the crowdâ or fingerprinting/appearing unique, you could rent a cheap VPS (<$5 a month) install Adguard home or Pi-hole for DNS filtering, install Wireguard, Tailscale, or some other VPN software and youâve got your own VPN with content filtering built in.
Like you rightly intuited, on AOSP 10+, all DNS traffic (encrypted or not), from installed apps, unless explicitly âprotectedâ, will flow through the active VPN tunnel.
Could you elaborate on this bit.
What does explicit protection entail?
Is âexplicit protectionâ something that (A) the app, (B) the OS, or (C) the end user has the power grant or forbid?
Blockquote use NextDNS in combination with a VPN, but I do so because I like the control panel/logging and the flexibility, not just the content filtering.
My reason is the same. I just didnât explained it well.
I am using Nextdns custom profile + vpn in my router for filtering my home network (computers and iot devices).
And every mobile phone uses separate custom dns profile for different user.
@xe3 i believe this means that some apps can have their own embedded DNS settings that override system or proxy DNS settings for these appsâ traffic, like maybe some Google apps have 8.8.8.8 hardcoded or whatnot.
@ignoramous btw, i have found a decent workaround for my DNS setup for Rethink instead of that Pi-Hole abomination.
Summary
Iâm using NekoBox in proxy (not VPN or TUN) mode, DoH NextDNS as remote DNS, my Wireguard exit point config and a route rule to proxy all apps for good measure.
I then set a DNS proxy in Rethink pointing to NekoBox while continuing to use Wireguard proxy in Rethink and it taking the VPN slot.
The result is that dnsleaktest com extended test shows NextDNSâ servers from my exit pointâs location, not from my location.
I also tried to set my Pi-Holeâs virtual LAN IP:53 as remote DNS in NekoBox and it is available from outside of my home network, via mobile data for example, and dnsleaktest shows the same servers as my home PC with Pi-Hole as itâs DNS. Neat!
1 Like
A: Installed apps can request to be bound to a specific network, bypassing the VPN. The VPN app can of course block this (but not all VPN apps do so). Rethink blocks this.
B: The OS can fwmark any socket to have it bypass the VPN (for connectivity checks, for instance). AOSP only affords this for System apps.
C: The end-user can prevent âAâ from happening by putting the VPN app in âLockdownâ mode (ie, turn ON Block connections without VPN on Android 10+). The end-user or the VPN app has no say on âBâ.
1 Like