GrapheneOS's Recommendation on DNS Servers?

OpenSource-Ghost The local network and ISP can see the connections to the IP addresses. They don't need the DNS queries to find the specific IP addresses that are used. It's not clear what the benefit would be of using the Private DNS server for looking up the VPN IP address since it's very obvious where you're connecting. You're talking about doing something sophisticated and yet not doing the basics. Private DNS only helps against unsophisticated, very passive surveillance and it has significant drawbacks such as being global rather than per-user like VPN configuration. You should avoid Private DNS in combination with VPNs especially when using multiple profiles.

Our FAQ doesn't currently try to provide much advice on these topics, especially since people will then want to debate it and attack the project over it.

GrapheneOS

Thanks a lot for providing this very useful information!

May I please ask a few questions regarding this, to clarify which method is the best? I believe other members will benefit from this too.

My understanding (and I might be wrong, hence the questions) is:

1. The best choice is to use VPN with its own DNS server - this is clear enough, no questions here.
2. But in case if we need to block trackers via DNS, you advised it is better to use something like RethinkDNS instead of built-in Private DNS. However, both RethinkDNS and Private DNS will change the DNS so no matter which one we use with the VPN, the DNS will be different from VPN's DNS hence opening a hole for fingeprinting. With this in mind, why would we use RethinkDNS if we can use Private DNS instead and block trackers in all profiles? What's the difference between them if both will change the DNS and will ultimately make the VPN connection more fingerprintable?
3. On Graphene's FAQ, in the "Are ad-blocking apps supported?" section, it says that "Content filtering apps are fully compatible with GrapheneOS, but they have serious drawbacks and are not recommended. These apps use the VPN service feature to route traffic through themselves to perform filtering. The approach of intercepting traffic is inherently incompatible with encryption from the client to the server" which, as far as I understand, seems to contradict the idea of using the RethinkDNS and logically means that Private DNS will be a better option? Can you please confirm please?
4. Based on the facts above, the only practical benefit of using RethinkDNS (and again, I might be wrong here) is to use RethinkDNS only for specific installed apps that have trackers and let all other tracker-free apps as well as the web browser (to avoid websites to fingerprint based on unique DNS-VPN combination) to use VPN's DNS. But in this case the websites we visit via browser will process all the trackers as most web browsers don't have built-in adblockers and the ones that have it (for example, Brave) will make you fingerprintable if we select built-in filters (this is as per Privacy Guide's Brave settings recommendation that specifically says to not select any built-in tracker blocklist: https://www.privacyguides.org/en/mobile-browsers/#recommended-configuration). This again leads to the question of what are the practical benefits of RethinkDNS vs built-in Private DNS and how do we solve tracker issues (both in installed apps and when visiting websites)?

The way I look at it is a solid VPN like Mullvad or Proton using their DNS will do the trick. I'm sure Mullvad does it, but I know Proton VPN DNS servers seek to block adware and malware. You also should use a privacy browser (with privacy search engine) to block ads/tracking/fingerprinting and I made Proton Mail my go to as it blocks ads/tracking in emails. Trackers are placed in "legit" (not otherwise malicious) email links and in the pixels of a company logo in an email that activate when the email is opened. Proton Mail shows how many have been blocked. You will never stop it, but can mitigate.

As for VPNs not being anonymous, if your VPN truly does not log what you search as well as your real IP, and you paid with a crypto and throwaway email, they can make you pretty anonymous. Both VPNs and Tor can be hit by correlation attacks on exit nodes, but that is generally nation state level (can also always have a bad apple working for a VPN or running a Tor exit node), but you need to really be on guv radar to be targeted for correlation.