Hi everyone.
I‘ve set up an own DNS resolver in my local network (on a different raspberry pi). This DNS has a upstream to NextDNS.io in router mode. There you can see the logs which DNS queries where made.
I’m also connect via VPN to internet. In anonymization settings I‘ve checked „Use VPN provider name servers (if available)“ and normally that works. Dnsleaktest shows the nameserver from VPN Provider.
So here’s my question: why can I see dns queries from clients which are using vpn in NextDNS logs?
Did the VPN not work correctly or is it correct that the DNS request is made before the VPN connection? And after that the data exchange is done via VPN?
Thank you
I'm not sure if I have understood your question, but maybe this helps:
To my knowledge all traffic of a particular device is routed via VPN if enabled in eBlocker. This includes all IP-based protocols like DNS, IMAP, ICMP, etc. There is no escape 😉
Personally I'd recommend to use eBlocker's DNS firewall to "mix" the request to different DNS resolvers and not use the (VPN) provider's DNS resolvers.
THX!
I agree with you. As far as I know all type of traffic should route via VPN. So this is why I’m confused that I can see those requests in nextdns logs.
Thanks anyway. I’ll think about your advise to use a different DNS instead of this VPN DNS.
If eBlocker would support DNS-over-TLS or DNS-over-HTTPS, I would be happier about this case.
Thank you
If eBlocker would support DNS-over-TLS or DNS-over-HTTPS
I‘m sure we would have implemented the feature already if everyone who has been asking for it would have donated to the project. 🙄😉
You are highly invited to move forward - and your wish will get heard in future. Today it’s not on the agenda and features we have sponsors for (like the Personal Device Firewall) have precedence 🤗😉
THX!
@random I just wanted to ask how to setup .e.g dns3.digitalcourage.de as my new DNS server but could not figure out how to do so. As I understand secure DNS is not available in eblocker. See, I learnt and searched first 😉
How much would it cost to sponsor this feature. Maybe I can donate a bit more next month.
We have not yet analyzed what it needs to update eBlocker to DNSSEC or DoH, but it's on our list for eBlocker 3 (see https://eblocker.org/en/magazine/eblockeros-3-planning/ ).
The core problem is (next to getting the donations in for covering the operational costs) that we do not have free resources (developers) to implement the feature.
Hiring a freelancer could cure this of course 😉 But to cover a freelancer to implement DNS security, certainly needs a low to mid-range four-digit Euro amount - at least...
Looking at the donations for IPv6 (which I personally see more valuable for most users than DNSSEC) makes me wonder if we really should set DNSSEC as a funding goal 🤔
Nevertheless, your donation is highly appreciated!
@benne Understood. One question though: I thought DNSSec and DoT/DoH are different topics. I am more in interested in DoT/DoH (e.g. to be able to use dns.digitalcourage.de) than DNSSec. Certainly both would add value.
Background: To me, DNS is such an important part of privacy. Encrypted DNS to me would add lots of value. Particularly using a non logging DNS server encrypted. No vodafone or unitymedia or telekom could see my usage and almost no one else. Using the system providers DNS is not my thought. Using another is better, but unencrypted only half of the story.
Again, you set the priorites. And I understand them.
Encrypted DNS to me would add lots of value.
Just enable DNS via Tor in the DNS firewall and you get what you want: Encrypted DNS. Requirement matched. Easy. 😎
Just add a couple DNS servers of your choice if you feel the eBlocker recommended 1.1.1.1 and 9.9.9.9 are not your cup of tea…
THX!
@random thanks a lot. I just learnt that using a vpn who offers dns and the setting to use the dns of the vpn also works. since I trust my vpn provider this is more my cup of tea. And: using a vpn also means, as far as I understand, that also all dns traffic is tunneled through the vpn and til the vpn exit point encrypted. Not perfect, but also not too bad.
Thanks for the quick replies.