DNS config with VPN

[P195]

Hi All,

Would anybody be able to help me with this query?

If I setup unbound in Pfsense / OPNsense to forward DNS requests to a private DNS service using DoT or DoH (e.g Quad9), and then connect to a VPN on a client on my network, would DNS requests automatically get routed to the VPN’s DNS servers for that client, so my DNS would always be either the private DNS or my VPN providers, but never my ISP’s?

What about if a second client is not connected to VPN, will the DNS queries for that client use the private DNS service simultaneously while the VPN connected client uses the VPN’s DNS?

Based on THIS article it suggests that using Private DNS with a VPN makes it more likely for DNS leaks, so what would be the best way to configure DNS if I want to use private DNS when not connected to VPN, but use the VPN’s DNS when connected to the VPN for any given client?

I would appreciate it if replies could be kept easy to comprehend for a newbie.

Many Thanks

PS. Sorry for the VPN and DNS count!

 

[Digilog]

What about if a second client is not connected to VPN, will the DNS queries for that client use the private DNS service simultaneously while the VPN connected client uses the VPN’s DNS?

Its the whole concept that public vs private DNS ensuring privacy is flawed.
But there are even worse. Quad 9 servers are blacklisted in my system's software because they sell dns data. So you really should research before trying to use a DNS outside of the ISP.

Even the most secure VPNs are hack-able and only hide the outside ip address from novice webmins. Btw, any one after I post that defends VPNs are either paid to do so are involved with identity theft through VPNs.

 

[Tech9]

If I setup unbound in Pfsense / OPNsense

You may want to use Unbound as Resolver, not Forwarder. It may give you better privacy.

private DNS service using DoT or DoH (e.g Quad9)

You mean encrypted DNS queries to public DNS server upstream... private or not. In this case you can use Unbound as Forwarder only because DNS encryption is not supported by root servers. Unbound has other privacy mechanisms built-in.

connect to a VPN on a client on my network

This client will use whatever DNS is configured to be used with this VPN service and will go around your firewall DNS settings through the encrypted VPN tunnel, or data not visible for your firewall. Very unlikely to use your default ISP DNS servers.

 

[P195]

Thanks for the replies guys.

I've spent today configuring OPNsense with unbound and adguard home as per THIS guide. OPNsense > Adguard > Unbound (DNS over TLS) > Public DNS (unencrypted) > Root Servers. Seems to be working fine.
Also I ran DNS leak test both before VPN was connected and after. I can confirm DNS queries were sent to the VPN's servers once connected and then fell back to public DNS servers once disconnected.

You may want to use Unbound as Resolver, not Forwarder. It may give you better privacy.

So unbound to query root servers directly with no encryption? So OPNsense > Adguard > Unbound > Root Servers? Is this a better choice than what I've configured and why?

you really should research before trying to use a DNS outside of the ISP.

So better to use ISP DNS than Quad9 / Cloudflare etc?

Even the most secure VPNs are hack-able and only hide the outside ip address from novice webmins.

What would you recommend for the best privacy configuration if VPN doesn't cut the mustard and don't want to use Tor? Would it make a difference if using something like wireguard with well regarded provider such as Mullvad?

Thanks both,

 

[Tech9]

So OPNsense > Adguard > Unbound > Root Servers?

In this configuration no DNS service upstream will have your full query logs and AdGuard Home will do the filtering you eventually need locally. Your ISP will still see the servers you call by IP address, you can't avoid this from happening. Not sure what the VPN is needed for. Common practice for commercial VPN services is scare tactic advertisement to make you believe you need their services.

 

[Digilog]

So better to use ISP DNS than Quad9 / Cloudflare etc?

Its better to run your own resolver. But the closest DNS server (lowest response) is usually the best. However, always look into their DNS practices before using a public DNS in place of the ISP DNS.

 

[Digilog]

What would you recommend for the best privacy configuration if VPN doesn't cut the mustard and don't want to use Tor? Would it make a difference if using something like wireguard with well regarded provider such as Mullvad?

I think people are in some misconception that remote connecting onto someone's else's network gains them anonymity. It doesn't all it does is involve law enforcement to warrant the VPN facility or wherever the VPS is located. But even that can be bypassed since there is a way of finding out who's behind a vpn without involving law enforcement.

 

[Tech9]

Some folks believe sending DNS queries encrypted to 3rd party DNS provider prevents ISP activity logging - not true. Others believe paying $3-5/month to 3rd party ISP (the VPN provider) gives them extra security, privacy and protection - also not true.

 

[P195]

Some folks believe sending DNS queries encrypted to 3rd party DNS provider prevents ISP activity logging - not true. Others believe paying $3-5/month to 3rd party ISP (the VPN provider) gives them extra security, privacy and protection - also not true.

I admit that I (was) one of those people. So basically by using an upstream public DNS, now BOTH they and your ISP can log your activity, so why involve another party right? So if my understanding is correct, the best methodology is to cache results locally over time and then rely on that for the sites that you regularly visit? So everything in THIS video - total bunkem and waste of time? She's obviously getting paid by Quad9 and he is lying through his teeth about having concern for people's privacy.

And the huge industry of VPN's is just people that don't realise this and are all wasting their money? And the whole DoH / DoT thing is also pointless?

Interesting. So it's futile. It's basically use Tor for privacy? For someone that doesn't want/need to do that, anything else is a waste of time/money? Or are there some things you would recommend that will bring a tangible benefit?

 

[Tech9]

Commercial VPNs have their use cases, but the advertisement around such services makes you believe you can't go without one. DNS encryption may prevent eventual interception and redirection, but can't stop the ISP from logging the IPs you get connected to. In both cases you trust someone else more than your ISP and send your data to them on top of what your ISP already sees and knows. If you are online someone knows what are you doing. Nothing is free, you pay with your money or your data. Where is your privacy when your computers, phones, bank cards and lately even cars know what are you doing, when and where? Did you invite IoTs in your home sending data to Internet about when you turn on lights, when you get home, who is visiting you? Some are listening to what you say and serve target advertisements. What exactly privacy you are looking for?

 

[P195]

So for someone that just want's to do their best to maintain privacy, and is happy to pay a bit of money, what do you recommend? Should I still encrypt my DNS? Should I still use a VPN? Is their anything else that will benefit? What would an expert who understands where the snake oil lies be doing?

 

[Digilog]

So everything in THIS video - total bunkem and waste of time? She's obviously getting paid by Quad9 and he is lying through his teeth about having concern for people's privacy.

basically.
If you use an external resolver, the info is handed to an outside server and dnssec only prevents listeners on the isp net, however, that external dns that you do not control that you made a dnssec connection to could be logging it.

Like I said earlier, Quad 9 DNS is a blacklisted DNS in my software because they sold data in the past.

 

[Tech9]

So for someone that just want's to do their best to maintain privacy, and is happy to pay a bit of money, what do you recommend?

We have discussed this matter multiple times in details here on SNB Forums. I recommend searching and deciding what you want to do based on whatever you choose to believe, technical side of things or marketing claims.

 

[P195]

I recommend searching and deciding what you want to do based on whatever you choose to believe, technical side of things or marketing claims.

It's always useful to know what methods other people employ because then it gives you options to explore. Unfortunately I don't have enough networking technical knowledge to fully understand what would/wouldn't benefit me in this respect, and more often than not threads are just debates rather than useful guidance which was why I was asking for recommendations. If I had those then I would be able to focus on those areas as at the moment its all just conflicting and overwhelming.

 

[Tech9]

There is no universal advice. I personally have public VPN account for specific use case, use unfiltered Google public DNS at home and drive electric green color sports car. Privacy issues people commonly worry about don't affect my life in any way.