I always run a VPN, my understanding is when Private DNS settings are set to automatic, all DNS requests are done by the VPN (correct me if I'm wrong).

Recently I used nextDNS by entering their DNS-over-TLS domain into private DNS provider hostname. I was successful in routing DNS requests to them, while using a VPN. I did this so I can view telemetry of apps quietly making data request in the background. I have since put Private DNS back into automatic so that my VPN will handle all DNS requests (as I no longer need next). I've noticed that the DNS-over-TLS domain from next is still in the provider hostname and I am unable to delete it and save it to leave it blank. Is there anyway I am able to remove this information from the provider hostname entry and if Private DNS is set to off, are DNS requests then handled by the ISP directly?

Thanks.

    treequell doing a custom private DNS in network settings will force all traffic (including browsers assuming they're set to automatic) through the DNS I've inputed right? As in, there's no need to make any changes to the browsers?

    Additionally, if I were to reset the network private DNS to automatic, DNS will be sent to my ISP, or my VPN's DNS assuming my VPN is enabled?

    I notice that when I go back to automatic, graphene stores the domain info for the private DNS I was previously using and i can't seem to find a way to remove it (if I delete it and hit save it still stays there), is there a work around for this?

    Thanks for your time. Big fan of the project.

        Lolsrslybro doing a custom private DNS in network settings will force all traffic (including browsers assuming they're set to automatic) through the DNS I've inputed right? As in, there's no need to make any changes to the browsers?

        Yes and yes.

        Additionally, if I were to reset the network private DNS to automatic, DNS will be sent to my ISP, or my VPN's DNS assuming my VPN is enabled?

        Yes. You can also check which DNS you're using on https://www.dnsleaktest.com/

        I notice that when I go back to automatic, graphene stores the domain info for the private DNS I was previously using and i can't seem to find a way to remove it (if I delete it and hit save it still stays there), is there a work around for this?

        That's also the case on stock Android, iirc. It's just a 'cosmetic issue'. As long as your VPN is activated the system should use their DNS . You can also set Private DNS to 'off' if it bothers you too much.

            NOiSE hey thanks for your help, may I ask you a few more network path related questions?

            I'm trying to figure out if I use a Private DNS for queries (not my VPN's) while my VPN is enabled, is the DNS service I'm using (in this case nextDNS), seeing my VPN IP or my Personal IP and additionally, If they're seeing my VPN IP, then everything else they're seeing should be encrypted due to the VPN correct?

            Trying to understand the network path, I'm not sure which route is happening:

            Device > ISP internet access > VPN server > Browser URL entry > DNS request > Site I'm connecting to responds > Device

            Or Device > ISP internet access > Browser URL entry > DNS request > VPN server > Site I'm connecting to responds > Device

            Thanks again.

                What is the proper address to use for next DNS?

                  E24 the DNS over TLS address, in the setup menu in the nextDNS portal. Place into:

                  Settings > network and internet > private DNS > private DNS provider hostname

                  You can now have nextDNS do queries and run a VPN simultaneously.

                    Lolsrslybro Unfortunately I'm not an expert when it comes to VPNs and how they work in detail. So hopefully someone with more knowledge in this can answer your questions.
                    I did find this though, which should answer your question concerning using Private DNS alongside a VPN.

                        • [deleted]

                        • Post #9
                        • Edited

                        Lolsrslybro if I use a Private DNS for queries (not my VPN's) while my VPN is enabled, is the DNS service I'm using (in this case nextDNS), seeing my VPN IP or my Personal IP and additionally, If they're seeing my VPN IP

                        VPN IP. You NextDNS logs should demonstrate just that.

                        Lolsrslybro then everything else they're seeing should be encrypted due to the VPN correct

                        Correct

                        Trying to understand the network path, I'm not sure which route is happening

                        https://twitter.com/GrapheneOS/status/1460414872282357765

                              • [deleted]

                              • Post #10
                              • Edited

                              The approach you're using makes you stand out:

                              "Apps and web sites can detect the configured DNS servers by generating random subdomains resolved by querying their authoritative DNS server. This can be used as part of fingerprinting users. If you're using a VPN, you should consider using the standard DNS service provided by the VPN service to avoid standing out from other users."

                              Using a widely used service like AdGuard with a standard block list is recommend if you're bent on using DoT. Otherwise using VPN provided DNS is better for both blending in and avoiding other issues.

                                [deleted] yea this seems like a catch 22 honestly.

                                If I'm using something like Adguard or my VPN DNS, I have to trust that the DNS requests are filtering what I want without truly knowing. In addition, in not able to block back end telemetry like i can with nextDNS.

                                So its either lower the chances of being finger printed and allow telemetry to be sent off in the back end and not have control over blocklists. Or increase your risk of being finger printed, but have control over blocklists and block telemetry that's being sent in the background (mainly through app usage).

                                So the question then becomes which is more important, and I assume that answer is going to change depending on who you ask.

                                    • [deleted]

                                    • Post #13
                                    • Edited

                                    Lolsrslybro It's your call. I myself use VPN content filtering. That way I only trust one party instead of two. I also don't need a real time dashboard to know it's working. But whatever works for you. There's no one-size-fits-all solutions.

                                        [deleted] yea fair enough, just thinking out loud of different setups and the pros and cons of each. I appreciate all your advice, you've been very helpful. Especially in confirming that nextDNS can only see my VPN IP and in knowing that what they "see" is encrypted via the VPN.

                                        Cheers

                                          a year later

                                          treequell damn I thaught I don't have to care about DNS when I am always on orbit or VPN.
                                          Do I get it right that I am wrong?
                                          I just checked my vanadium DNS setting and it's set to automatic and "use provider DNS"
                                          Is my DNS sniff proof now or can someone snoop in?
                                          I'm on orbot and vanadium.

                                            Lolsrslybro You can't actually successfully block analytics, telemetry, etc. by filtering DNS requests. You're only blocking it when it's split out from other functionality needed for things to work, which is increasingly less common. Enumerating badness also doesn't work well in the first place.

                                            You could do filtering and monitoring locally with an app supporting both local filtering combined with using a VPN such as RethinkDNS. However, bear in mind that while avoiding using a non-VPN DNS server will avoid standing out in that regard, even entirely local filtering forwarding along to the network / VPN provided DNS can still be trivially detecting and the blocklists you're using trivially enumerated to identify you. It's common to detect at least which basic blocklists are used as part of fingerprinting.

                                                GrapheneOS

                                                Oh, so if I want to avoid fingerprinting, I should just not use rdns's on-device blocks and just stick with mullvad's DNS filtering? That seems like the least unique option...