• General
  • GrapheneOS's Recommendation on DNS Servers?

Our recommendation is to use the DNS servers provided by the network and to use a VPN. Most people should avoid using Private DNS. If you want to filter traffic, then use something like RethinkDNS which provides local filtering alongside being able to use a WireGuard VPN. Filtering traffic adds an easy way to fingerprint for websites and other services so you shouldn't filter traffic if you want to avoid standing out.

    OpenSource-Ghost The local network and ISP can see the connections to the IP addresses. They don't need the DNS queries to find the specific IP addresses that are used. It's not clear what the benefit would be of using the Private DNS server for looking up the VPN IP address since it's very obvious where you're connecting. You're talking about doing something sophisticated and yet not doing the basics. Private DNS only helps against unsophisticated, very passive surveillance and it has significant drawbacks such as being global rather than per-user like VPN configuration. You should avoid Private DNS in combination with VPNs especially when using multiple profiles.

    Our FAQ doesn't currently try to provide much advice on these topics, especially since people will then want to debate it and attack the project over it.

    GrapheneOS

    Thanks a lot for providing this very useful information!

    May I please ask a few questions regarding this, to clarify which method is the best? I believe other members will benefit from this too.

    My understanding (and I might be wrong, hence the questions) is:

    1. The best choice is to use VPN with its own DNS server - this is clear enough, no questions here.
    2. But in case if we need to block trackers via DNS, you advised it is better to use something like RethinkDNS instead of built-in Private DNS. However, both RethinkDNS and Private DNS will change the DNS so no matter which one we use with the VPN, the DNS will be different from VPN's DNS hence opening a hole for fingeprinting. With this in mind, why would we use RethinkDNS if we can use Private DNS instead and block trackers in all profiles? What's the difference between them if both will change the DNS and will ultimately make the VPN connection more fingerprintable?
    3. On Graphene's FAQ, in the "Are ad-blocking apps supported?" section, it says that "Content filtering apps are fully compatible with GrapheneOS, but they have serious drawbacks and are not recommended. These apps use the VPN service feature to route traffic through themselves to perform filtering. The approach of intercepting traffic is inherently incompatible with encryption from the client to the server" which, as far as I understand, seems to contradict the idea of using the RethinkDNS and logically means that Private DNS will be a better option? Can you please confirm please?
    4. Based on the facts above, the only practical benefit of using RethinkDNS (and again, I might be wrong here) is to use RethinkDNS only for specific installed apps that have trackers and let all other tracker-free apps as well as the web browser (to avoid websites to fingerprint based on unique DNS-VPN combination) to use VPN's DNS. But in this case the websites we visit via browser will process all the trackers as most web browsers don't have built-in adblockers and the ones that have it (for example, Brave) will make you fingerprintable if we select built-in filters (this is as per Privacy Guide's Brave settings recommendation that specifically says to not select any built-in tracker blocklist: https://www.privacyguides.org/en/mobile-browsers/#recommended-configuration). This again leads to the question of what are the practical benefits of RethinkDNS vs built-in Private DNS and how do we solve tracker issues (both in installed apps and when visiting websites)?

      • [deleted]

      Volen Can you please confirm please?

      The RethinkDNS application can act as an (Wireguard) VPN client too.

        [deleted]

        It's not really an advantage as we can use Private DNS + VPN provide's own app which is better in most cases (and can also rotate wireguard keys easily). Using RethinkDNS's DNS+VPN will still have a unique (RethinkDNS's) DNS for the VPN.

        Volen Not sad, they have improved it. Go to the link I posted & have a read....

          The way I look at it is a solid VPN like Mullvad or Proton using their DNS will do the trick. I'm sure Mullvad does it, but I know Proton VPN DNS servers seek to block adware and malware. You also should use a privacy browser (with privacy search engine) to block ads/tracking/fingerprinting and I made Proton Mail my go to as it blocks ads/tracking in emails. Trackers are placed in "legit" (not otherwise malicious) email links and in the pixels of a company logo in an email that activate when the email is opened. Proton Mail shows how many have been blocked. You will never stop it, but can mitigate.

          As for VPNs not being anonymous, if your VPN truly does not log what you search as well as your real IP, and you paid with a crypto and throwaway email, they can make you pretty anonymous. Both VPNs and Tor can be hit by correlation attacks on exit nodes, but that is generally nation state level (can also always have a bad apple working for a VPN or running a Tor exit node), but you need to really be on guv radar to be targeted for correlation.

          GrapheneOS So wait, hold on… when you say use the networks DNS, is the network the vpn?
          Aka I should use mullvad’s dns if I’m on mullvad vpn?

          What is the recommended way to block ads? Or is “filtering traffic” different from blocking ads?

          Because blocking ads is practically a requirement to effectively browse the internet nowadays, and I’ve had experiences with websites running ads that hijack the site somehow and cause redirects without me clicking on any ads. Which is pretty spooky, if you ask me, because even if I only go to trustworthy websites, I have kinda no way to know what ad networks they use to pay their bills, and even if I did, I also have no way of knowing what ads that network will run - aka there’s kinda no way to know whether or not a website is trustworthy - so if I can’t trust any website, I /have/ to put up defenses. So… blocking ads, right?

            GlytchMeister So wait, hold on… when you say use the networks DNS, is the network the vpn?
            Aka I should use mullvad’s dns if I’m on mullvad vpn?

            Obviously I can't speak for the project account, but I believe that's what they're saying.

            GlytchMeister What is the recommended way to block ads? Or is “filtering traffic” different from blocking ads?

            I don't know if there's a "recommended" way of blocking ads, but you can set up ad blocking in their app in Settings > VPN settings > DNS content blockers. This way you're using the "network DNS," so there should be no DNS leaks.

              other8026

              The problem is that their tracker lists are very basic. Better than nothing, but still basic. NextDNS and Adguard Private DNS allow way more advanced filtering lists.

              For me personally it is much more important to block as many trackers as possible vs the chance that some websites might fingerprint based on DNS. Fingerprinting is a lost battle in most cases as there are so many parameters that can make a device unique, not just DNS or IP.

              P3yot3

              You mean the possibility to add your own filters to the custom DNS? Won't it still make you unique as you will use a dedicated Mullvad DNS server with your configs on it?