I want to understand what the current best practices would be for configuring iOS to use encrypted DNS (for eg, Mullvad DNS over HTTPS), a VPN (ProtonVPN) and system-wide Adblocking (uBlock Lite on iOS)
What have you considered or looked at already?
ProtonVPN + Adguard for Safari + NextDNS
ProtonVPN + Mullvad DNS: can’t have both running without DNS leaks, not sure I need the VPN most of the time anyway
Mullvad DNS + uBlock Lite for Safari: this seems to be the best option I’ve come across, no DNS leaks and adblocking on Safari, adding VPN into the mix breaks things though.
In brief, tell us about your privacy threat model?
My goal is to block as many ads as possible across device and achieve the highlest level of privacy I can in the process. My threat model really consists of wanting to avoid tracking through ads and where possible limit ISP tracking.
Is it possible to throw a VPN into the mix without getting DNS leaks when using a separate DNS provider from the VPN?
I’m not entirely sure if I really need this, but I’m trying to get an understanding on what’s possible.
Basically, my approach is to secure my home network as best I can. Insert big discussion on ad and tracker blocking, VPNs, etc. here. Pick your poison as to how far you want to go.
Then, since I trust that my home network is secure for my threat model, I simply have Wireguard on my iPhone set to automatically connect to my home network when I am not on my home WiFi so it gets all the home goodness without a whole lot of additional effort.
That won’t protect the phone against location tracking by the cellular network. Or by Bluetooth detectors in stores, etc. But that is a whole different level set of threats than the OP seemed to mention.
Because ProtonVPN’s NetShield is sub-par at blocking ads whereas NextDNS uses custom blocklists and is far more reliable at this. The level of control you have using NextDNS over NetShield is night and day.
I have since realised that what I’m looking for is a more comprehensive custom DNS solution within ProtonVPN that gives users the option to use custom DNS over DoH and not limit it to IPv4 only (a bit ridiculous in 2025?)
This would enable me to use VPN and a well-configured DNS over DoH, then throw uBlock Lite for iOS on Safari and I think that pretty much gives full protection from ads on iOS at the system and browser level as well as a VPN connection. It’s the most complete solution I can think of.
For a VPN solution, I actually would consider Lockdown Privacy, as that’s from former Apple engineers. Add that to uBlock Origin Lite, as mentioned earlier, and I’d use ControlD for DNS. That’s a setup I’d personally use.