Currently i am using custom dns over tls with vpn. In dnsleaks i see my vpn ip and my dns ip, so no leaks there. But since DOT requests are outside the tunnel, i think that ISP can see ip addresses of the sites i visit, so it defeats the purpose of using vpn. Am i right? And if i am is it possible to push DOT though the vpn tunnel?
I’m not a pro in networking, but my understanding is that if you’re using an actual VPN (over OpenVPN/Wireguard/IPSec/IKEv2/etc protocol) everything should tunnel to your exit point and get routed anywhere from there. At least that’s the conclusion i came to in my experience.
If you’re using a commercial VPN service that should be the case, but if you’re self-hosting there might be complications if you deviate from the defaults.
I’d be glad to be fixed if i’m mistaken.
I am using Protonvpn+Nextdns over tls in my router and Windscribe+Nextdns over tls in my android phone.
With the same caveat as the other person (I am not an expert) I think you may be misunderstanding some things:
Currently i am using custom dns over tls with vpn.
For what reason are you doing this? There are decent reasons you migh optionallyt choose to do this, but you should be clear on speciifically why, what problem you are trying to solve. Using DoT in combination with a VPN is not necessary, does not improve privacy or security in most respects (compared to using the VPN providers DNS servers), and does add complexity, so if you are going to do so, you should have a clear reason to.
But since DOT requests are outside the tunnel, i think that ISP can see ip addresses of the sites i visit, so it defeats the purpose of using vpn
Am i right?
I don’t believe so.
First off, I don’t believe it is true that your DoT requests are outside the VPN tunnel unless you have specifically set it up that way. But “the tunnel” only exists between you and the VPN provider, all traffic (whether HTTP or DNS) is outside the tunnel once it leaves the VPNs exit nodes. If you are using a VPN I believe all traffic regardless of protocol is encrypted between your device or network and the VPN, and all traffic is outside that tunnel for the second half of its journey (VPN provider to remoter server which could be a web or DNS server)
But regardless of whether your DNS traffic is passing through the VPN tunnel or not, the ISP should not be able to see the contents of that traffic (because you are using DoT, which is encrypted). So if your ISP can see your DNS traffic, they can see the IP address of your DNS provider, but they can’t see the IP addresses of the sites you visit just from observing your DNS traffic (because that traffic is encrypted regardless of whether you use a VPN or not.
Wow, thank you for detailed answer!
I am not an expert in privacy or networking fields, just trying to find what’s best for me.
The reason i am using Nextdns is the ability to filter dns traffic. Something like systemwide Ublock origin tuned for every device that i use.
Vpn is for hiding all the traffic from isp.
Ia am not trying to blend in the crowd or to resist fingerprinting. Just to filter dns and to hide my web activity from isp.
This is valid
I use NextDNS in combination with a VPN, but I do so because I like the control panel/logging and the flexibility, not just the content filtering.
IF content filtering is the only reason you are using NextDNS there may be a straightforward, robust, and elegant solution. Many VPNs have content filtering built in. I believe this includes all of the top VPNs from this sites VPN comparison. If you go with one of these VPNs (e.g. Mullvad, iVPN, Proton, AirVPN, Windscribe) you can kill two birds with one stone, and do so in a more robust way (content filtering and hiding your traffic from your ISP). This assumes that you use your VPN 100% of the time. One advantage of this is that dns queries and content filtering happens within the virtual private network.
Another possibility if you are technically inclined. Since you don’t care about ‘blending in with the crowd’ or fingerprinting/appearing unique, you could rent a cheap VPS (<$5 a month) install Adguard home or Pi-hole for DNS filtering, install Wireguard, Tailscale, or some other VPN software and you’ve got your own VPN with content filtering built in.
Like you rightly intuited, on AOSP 10+, all DNS traffic (encrypted or not), from installed apps, unless explicitly “protected”, will flow through the active VPN tunnel.
Could you elaborate on this bit.
What does explicit protection entail?
Is ‘explicit protection’ something that (A) the app, (B) the OS, or (C) the end user has the power grant or forbid?
Blockquote use NextDNS in combination with a VPN, but I do so because I like the control panel/logging and the flexibility, not just the content filtering.
My reason is the same. I just didn’t explained it well.
I am using Nextdns custom profile + vpn in my router for filtering my home network (computers and iot devices).
And every mobile phone uses separate custom dns profile for different user.
@xe3 i believe this means that some apps can have their own embedded DNS settings that override system or proxy DNS settings for these apps’ traffic, like maybe some Google apps have 188.8.131.52 hardcoded or whatnot.
@ignoramous btw, i have found a decent workaround for my DNS setup for Rethink instead of that Pi-Hole abomination.
I’m using NekoBox in proxy (not VPN or TUN) mode, DoH NextDNS as remote DNS, my Wireguard exit point config and a route rule to proxy all apps for good measure.
I then set a DNS proxy in Rethink pointing to NekoBox while continuing to use Wireguard proxy in Rethink and it taking the VPN slot.
The result is that dnsleaktest com extended test shows NextDNS’ servers from my exit point’s location, not from my location.
I also tried to set my Pi-Hole’s virtual LAN IP:53 as remote DNS in NekoBox and it is available from outside of my home network, via mobile data for example, and dnsleaktest shows the same servers as my home PC with Pi-Hole as it’s DNS. Neat!
A: Installed apps can request to be bound to a specific network, bypassing the VPN. The VPN app can of course block this (but not all VPN apps do so). Rethink blocks this.
B: The OS can
fwmark any socket to have it bypass the VPN (for connectivity checks, for instance). AOSP only affords this for System apps.
C: The end-user can prevent “A” from happening by putting the VPN app in “Lockdown” mode (ie, turn ON Block connections without VPN on Android 10+). The end-user or the VPN app has no say on “B”.