john9527
Part of the Furniture
Wish there was a simple answer....it all depends on who you trust/distrust the most....I always had these questions and I do not know if you or someone can help me.
1. If I am using DNSCrypt, which is more secure the DNS servers of DNSCrypt or the DNS servers of my VPN Client?
2. If I am using DNSCrypt, is it better to disable the DNS servers of my VPN Client and only use the DNS servers of DNSCrypt?
3. Or What do you recommend?
- VPN -> VPN Client -> Accept DNS Configuration: Disabled
A couple of things to consider....
- DNSCrypt has been around the longest. It is a user open spec, but has never been submitted (or planned to be submitted) as a formal RFC.
- How much do you know about the folks running the DNSCrypt servers? Most (all?) of the DNSCrypt servers run by the 'big' providers are logging servers, so that needs to be considered as well.
- DNSCrypt can hide your DNS traffic from both your ISP and VPN provider.
- The VPN provider DNS will hide your DNS traffic from your ISP (if you have your router participating in the VPN), but if you exclude the router the DNS traffic is not VPN encrypted (see above about some potential problems with including the router in the VPN). Your VPN provider technically can see your DNS traffic as it exits the VPN on to the internet.
- Most big VPN providers advertise as non-logging. Where the provider is incorporated may influence how much they can follow their non-logging claim.
- You should also use DNSSEC to validate the server actually being used.
- I'm sure there are other consideration I could come up with
- Neither my ISP or VPN can monitor my DNS traffic.
- Performance probably near the best from an encryption viewpoint. The routing to the servers contribution to performance???? Need to test. I personally don't linger over DNS performance as long as it's reasonable....most accesses are cached anyway.
- I'm trusting my selected DNSCrypt server to be non-logging as they say it is and that they are following the DNSCrypt user spec (There's that trust thing).
- I say moving to DoT since that has a formal RFC. In the future, I think DoH will become more wide spread after its RFC is finalized (it's currently in draft mode and has some advantages over DoT).
- Side benefit is that things like ABSolution work for both VPN and WAN.