I'm currently using a VPN and VPN provided DNS servers. What is the purpose of private DNS function when I'm already using VPN provided DNS servers. As of now I have it on default setting (automatic).
What is the purpose of private DNS setting if I use a VPN?
It's better to just use the VPN's DNS servers.
The private DNS setting is more for if you're not using a VPN and want to keep your ISP from snooping on your DNS requests or even modifying the responses.
Using the two together doesn't make much sense. It's better to use a VPN provider that you trust to not store logs, or use Tor if you want true anonymity.
If you use the two together, your phone will use the private DNS servers for DNS requests. I played with it a little and it looks like the secure DNS requests were done through the VPN tunnel, so you don't have to change your VPN settings to allow connections outside of the VPN.
The reason this doesn't make any sense is because by doing it this way you have to trust two different entities. Sure, your VPN provider can't see your DNS requests, but it can still see which IP addresses your phone is communicating with, so they could still figure out what sites you're going to if they really wanted.
I honestly didn't know the actual answer to that question, so I looked in to it for you.
Here is a short summary of what I figured out:
- Disabled means there will be no DNS over TLS (private DNS) connections made.
- Automatic, or opportunistic mode, means your phone can automatically connect to a DNS over TLS server if one is set up by your provider, in this case this would include your VPN provider.
- Enabled means it'll connect to your preferred server, but there'll be more checks to verify the authenticity of the server.
Here's some background info that I'm sharing because I have the links handy... First, from the GrapheneOS website:
A test query is done via DNS-over-TLS in the automatic and manually enabled modes to detect if DNS-over-TLS is available. It won't happen when DNS-over-TLS is disabled. For the automatic mode, it uses this to determine if it should be using it and for the manual mode it uses it to report an error. This DNS query is not used to make a connection to the resulting resolved IP.
There's also a whole page about this on Google's website. But note that the info on this page is for AOSP. On GrapheneOS, if you use GrapheneOS's server for connectivity checks (the default), you'd be using GrapheneOS's server, not Google's (this is covered on the same page on the GOS website I linked earlier).
- Edited
unwat I might be wrong but I think that when you disable it. It will just use network provided (ISP's) DNS to resolve to my VPN. When I use it on automatic it use network provided private dns and will fallback on cloudflare DNS AKA 1.1.1.1 if there is an error or something with my network providers DNS. Because I tried disabling it and my VPN provided adblocking still worked.
A VPN provides a network layered on top of the underlying networks and the OS uses the VPN-provided DNS servers for everything beyond resolving the IP address of the VPN and performing network connectivity checks on each of the underlying networks in addition to the VPN itself.
Your phone should be using your VPN's DNS server(s)
In some broken or unusual network environments, the network could fail to provide DNS servers as part of dynamic IP configuration. The OS has high availability fallback DNS servers to handle this case. A network can fail to provide DNS servers in order to fingerprint clients based on what they use as the fallback so it's important for it to be consistent across each install. GrapheneOS replaces Google Public DNS with Cloudflare DNS for the fallback DNS servers due to the superior privacy policy and widespread usage including as the fallback DNS servers in other Android-based operating systems.
So, yes, the OS will use Cloudflare as a fallback. (both quotes are from https://grapheneos.org/faq)
Vayix Because I tried disabling it and my VPN provided adblocking still worked.
If your VPN's provided adblocking worked, that's because your phone is using their ad blocking DNS server.
dnsleaktest.com
unwat That's how I understand it. If I disable private DNS it will use my ISP's DNS servers to resolve to my VPN and do connectivity checks. If I do it on automatic it will use ISP's private DNS servers if they provide those at all and if something like an error happens it will fall back on cloudflare (1.1.1.1). In both of these scenarios DNS will only be used to resolve to my VPN and for connectivity checks and stuff. All other traffic will use my VPN's DNS servers.
Turns out Private DNS should be set on "Disabled".
From reading this thread what I understood is that manual mode shouldn't be used while using a VPN.
But could someone explain the differences between disabled and automatic modes while using a VPN and if there is any advantages or disadvantages of using one over another? I couldn't find any clear explanation or answer for this in my research. The link that Pociwo posted above says to disable it meanwhile a moderator of ProtonVPN subreddit says to leave it on automatic.
There is a similar setting in Vanadium too. It's called secure DNS and it has the same options as private DNS. The same questions asked above apply to this setting too
Gimiso But could someone explain the differences between disabled and automatic modes while using a VPN and if there is any advantages or disadvantages of using one over another?
It shouldn't matter since your phone will get network info from the VPN. Your phone will just automatically select the DNS server they provide, which, I understand, will be the regular old DNS, not a DNS over TLS.
With automatic, your phone will just check for a DoT and not find one. The end result is the same either way.
You should not use a DNS with a VPN.
- Edited
That's not entirely true. Many VPN providers and apps have settngs for custom DNS servers. In some cases, like NordVPN, it makes sense to use AdGuard DNS servers because NordVPN uses Google Analytics that gets blocked by AdGuard DNS servers.
On top of that, many VPN providers do not use any DNS encryption methods. It may seem like overkill to use DNS-over-HTTPS and/or DNS-over-TLS within VPN tunnel, but it isn't. Authorities, for example, are well aware of datacenters used by VPN providers. Once they establish exit node surveillance, they can re-direct traffic via DNS hijacking. That's not as uncommon as you'd think. Mass surveillance is a thing and governments consider VPN datacenters to be hideouts for criminals. With encrypted DNS queries, you'd at least be visiting real non-spoofed sites.
I don't know if you anyone with NordVPN tried to access Amazon.com on PC lately, but I did, and it directed me to a site blocked by my firewall. Why? My firewall blocked all reserved and private IP ranges (even within VPN tunnels). NordVPN DNS directed me to a 100.X.X.X IP (reserved range) for Amazon.com. It was some kind of a proxy. Other private DNS providers didn't do that and took me to actual Amazon.com hosted by Amazon.
Also, using private DNS server in Android settings is a good idea even for VPN users. It makes sure the initial DNS resolution of your VPN tunnel domains is encrypted.
Disabled means disabled.
Automatic means that it will attempt to establish the connection to the default DNS via TLS encryption.
Both options have no impact on the DNS set by a VPN.