So I know that when using a VPN it is typically best to use the VPN company’s DNS servers so DNS requests do not leak out of the secure tunnel. The unfortunate thing is that most providers (save for IVPN, the Wireguard app, and a few others) do not support DoH or DoT in their clients which mostly solves the leak problem. Though more and more clients are supporting custom IPv4 and IPv6 DNS addresses.
In theory, if someone wants to use a custom DNS server that was operated by a trusted third party and the VPN application only supports unencrypted custom DNS servers, what is the true risk there? Specifically, what is the risk when using multihop that further separates the user’s activity with their DNS requests?
AFAIK, the risk of unencrypted DNS is that the queries can be intercepted and poisoned but with multi hop, wouldn’t it be extremely difficult to know who that user is and therefore reduce the risk of unencrypted DNS?