Question about Rethink DNS, VPN DNS, Vanadium/Android DNS

Elysium

I have an understanding question regarding how DNS work in conjunction with other DNS settings.

What I learned was, that I could use my VPN provider DNS implementation to deal with how my connections are resolved. Without relying on the OS DNS. So my "private DNS mode" on GOS is set to off.
Because according to my current knowledge, having multiple DNS resolver in row, opens up the door to leaks and puts trust in more than one party to deal with your requests.

GOS documentation also said similar

If you're using a VPN, we recommended against having a Private DNS server configured. If you want to filter traffic while using a VPN, use a VPN service app able to do both such as RethinkDNS. Private DNS also interacts strangely with multiple profiles since each profile has their own VPN configuration but Private DNS is global. We strongly recommend fully disabling Private DNS when using a VPN on any secondary profile until it's overhauled.

Now Vanadium has also Secure DNS as On - next to the OS setting "Private DNS" turned to off, and ReThinkDNS with a proxy wireguard tunnel to my VPN provider, which has their own DNS implementation.
Does this create conflicts? In Vanadium it says "User your current service provider" as default - is this referring to RethinkDNS as service for DNS resolvs? Or is it something else entirely?

A different question - I add a DNS block in ReThinkDNS, it adds it under firewall under a domain block. So I am not using a ReThinkDNS filter list, but a local filter? Is this really local and not making requests to Rethinks DNS server?

So I am just using a ReThinkDNS firewall and my VPN service own DNS resolver (via wireguard in RethinkDNS)?

Thanks for clarification

becomeparmesan

Current service provider means the system DNS or VPN/RethinkDNS in that case. Like, Vanadium does not interfere at all with the DNS resolving, that is what is meant.

I tried several cases to see which DNS is chosen and the order is: DNS of app -> DNS of system -> DNS of RethinkDNS
That means if you want to use the DNS of your VPN, selected via RethinkDNS, do not set any other DNS resolver anywhere. If you use a VPN you want to merge with other users and should use therefore their resolver.

Yes, DNS blocking of manually added domains happens locally. You can also download blocklists and again, the blocking would happen locally.

Correct, I would stick to using your VPNs own DNS resolver via Wireguard through RethinkDNS.

Elysium

becomeparmesan Like, Vanadium does not interfere at all with the DNS resolving, that is what is meant.
I tried several cases to see which DNS is chosen and the order is: DNS of app -> DNS of system -> DNS of RethinkDNS

So that should mean, whatever setting I pick in Vanadium (Secure DNS enabled/disabled) doesn't matter in this situation right? Because globally it is Rethink determining it anyway.

becomeparmesan Yes, DNS blocking of manually added domains happens locally. You can also download blocklists and again, the blocking would happen locally.

And this is I assume good for privacy/security because it happens at the network level, so it shouldn't increase fingerprint like some content blocker like ublock origin could if you use custom filters on a website directly.
Downside being website could break if filter are aggressive or higher battery usage, but not sure about the latter.

(Now I still wish I could easily switch a wireguard config in RethinkDNS, without the 10-12 extra clicks, when a website occasionally blocks the VPN IP)

Thanks for info and clearing things up. I understand it more now.

becomeparmesan

Was a bit confusing how I wrote it: the most dominant setting is in the app itself, then the system setting, then the RethinkDNS setting. So what you set in Vanadium matters and you should keep it as "Use your current service provider" + do not set anything as system DNS - all while routing the traffic of Vanadium through RethinkDNS. Then, the VPN/RethinkDNS resolver will be used. You can check that here: mullvad.net/check

About the fingerprint: that was also my understanding initially but unfortunately pages can check which domains you are blocking - no matter if locally or via a remote service. So again, the best best way is to not have very individual settings and use widely used filters so you merge into the crowd of those users. Hope that explained it, feel free to ask again.

Elysium

Roger that! I think I saw Rethink as app too in that example, which lead me to make a wrong conclusion...

Wish the blocklists would further unify into a few different preset-categories instead of the current many options to select from, to mitigate fingerprinting further.
Having Aggressiveprivacy, extremeprivacy, liteprivacy (and recommended) - I think the average user will not understand why it needs to be its own category if they only differ between 17 and 20 blocklists.
If community could agree to use e.g. all security lists + liteprivacy or recommended as minimum default, it would make things less unique. That would require the devs to simplify presets further or community to spread the word.
Similar how Tor or Mullvad try to standardize things for every user.
Advanced users could still select individual lists if they want of course, like they can now.
But that is a ReThink topic to debate about.

becomeparmesan

Yeah, the approach to standardize filters definitely makes sense.

A common approach is to have multiple browsers installed and depending on which features the opened page needs, you change the browser. So you would start to open the page with the Tor browser, if page can't be opened -> IronFox or other hardened browser -> if page still can't be opened, use less hardened browser etc. all the way down to a browser with some ad-blocking and exempt from VPN (as some pages also block VPNs). Quite time consuming and not sure if there a still identifiers that can nevertheless track you across all those browsers, but well..

One case where the personalized DNS blocking makes sense is with closed source apps though, like banking, public transport etc. There, you are anyway identified but want to reduce the tracking/shared info.