Private DNS

[deleted]

Lolsrslybro if I use a Private DNS for queries (not my VPN's) while my VPN is enabled, is the DNS service I'm using (in this case nextDNS), seeing my VPN IP or my Personal IP and additionally, If they're seeing my VPN IP

VPN IP. You NextDNS logs should demonstrate just that.

Lolsrslybro then everything else they're seeing should be encrypted due to the VPN correct

Correct

Trying to understand the network path, I'm not sure which route is happening

https://twitter.com/GrapheneOS/status/1460414872282357765

Lolsrslybro

[deleted] thanks for your help!

[deleted]

The approach you're using makes you stand out:

"Apps and web sites can detect the configured DNS servers by generating random subdomains resolved by querying their authoritative DNS server. This can be used as part of fingerprinting users. If you're using a VPN, you should consider using the standard DNS service provided by the VPN service to avoid standing out from other users."

Using a widely used service like AdGuard with a standard block list is recommend if you're bent on using DoT. Otherwise using VPN provided DNS is better for both blending in and avoiding other issues.

Lolsrslybro

[deleted] yea this seems like a catch 22 honestly.

If I'm using something like Adguard or my VPN DNS, I have to trust that the DNS requests are filtering what I want without truly knowing. In addition, in not able to block back end telemetry like i can with nextDNS.

So its either lower the chances of being finger printed and allow telemetry to be sent off in the back end and not have control over blocklists. Or increase your risk of being finger printed, but have control over blocklists and block telemetry that's being sent in the background (mainly through app usage).

So the question then becomes which is more important, and I assume that answer is going to change depending on who you ask.

[deleted]

Lolsrslybro It's your call. I myself use VPN content filtering. That way I only trust one party instead of two. I also don't need a real time dashboard to know it's working. But whatever works for you. There's no one-size-fits-all solutions.

GrapheneOS

Lolsrslybro You can't actually successfully block analytics, telemetry, etc. by filtering DNS requests. You're only blocking it when it's split out from other functionality needed for things to work, which is increasingly less common. Enumerating badness also doesn't work well in the first place.

You could do filtering and monitoring locally with an app supporting both local filtering combined with using a VPN such as RethinkDNS. However, bear in mind that while avoiding using a non-VPN DNS server will avoid standing out in that regard, even entirely local filtering forwarding along to the network / VPN provided DNS can still be trivially detecting and the blocklists you're using trivially enumerated to identify you. It's common to detect at least which basic blocklists are used as part of fingerprinting.

Lolsrslybro

[deleted] yea fair enough, just thinking out loud of different setups and the pros and cons of each. I appreciate all your advice, you've been very helpful. Especially in confirming that nextDNS can only see my VPN IP and in knowing that what they "see" is encrypted via the VPN.

Cheers

Lolsrslybro

NOiSE thanks!

shhhNotmilk

treequell damn I thaught I don't have to care about DNS when I am always on orbit or VPN.
Do I get it right that I am wrong?
I just checked my vanadium DNS setting and it's set to automatic and "use provider DNS"
Is my DNS sniff proof now or can someone snoop in?
I'm on orbot and vanadium.

infinitieunique

NOiSE

NOiSE https://www.dnsleaktest.com/

https://browserleaks.com would be better, its more universal

GlytchMeister

GrapheneOS

Oh, so if I want to avoid fingerprinting, I should just not use rdns's on-device blocks and just stick with mullvad's DNS filtering? That seems like the least unique option...