Sponsored Links

VPNs, Custom DNS and DNS over HTTPS.

dabigm

ULTIMATE Member
So I've been increasingly interested in using DNS over HTTPS as I feel it provides another level of security on the interwebs. I also use a VPN (I wont mention who, this isn't an advert / spam for VPN providers).

A problem arose in that with my VPN provider, and I'm going to assume with most of them, my cloudflare DNS settings that my home router hands out is overwritten by the VPN client. I contacted my VPN provider (who are really good with support, and answer with really good useful feedback) responded to my question about using custom DNS with:

It won't be possible, as when you're using our VPN, [redacted, name of VPN provider] DNS overrides other DNS.

As we follow a strict no logs policy, this DNS change helps us follow it.


But that answer didn't sit well with me. I understand they're trying to make an effort to make you use their DNS servers to stop leaks, but I want to use my own, and as the title suggests, I want to use DoH/DNS over HTTPS.

So here's my sort of solution.

In chrome, click the 3 dots menu, and go to Settings > Security > Advanced and click the button to enable "Use Secure DNS". Select With and choose cloudflare (you can also choose OpenDNS, Google, Custom etc .. but the DNS provider must obviously support DoH). I noticed that I had to click again on cloudflare as it seemed to not keep the setting after enabling it.

chrome.png



In Firefox :

Go to the menu > Options > General > Network settings and click the "Settings" button
At the bottom of the page, click "Enable DNS over HTTPS" and choose your provider from the list

firefox.png



And there you have it. DNS over HTTPS ... even when your VPN provider says its "not possible". Of course this only works in browsers, the rest of your network / other apps besides browsers will not use it .. but I think this covers the main use for VPNs.

To test it works, visit https://1.1.1.1/help (assuming you are using Cloudflare I guess)

and you should see

cloudflare.png



considering ISPs will now probably all start logging just about everything, this seems like a good solution to me. My VPN connects automatically when I start the computer, and has a kill switch that will disable my internet connection if the VPN isn't active but now I also have the piece of mind that my DNS is over HTTPs and goes with who I want it to go with.

So if you want DoH, and you want VPN, here's a more or less "solution" to the problem of them dictating who your DNS provider is.

The recent article on this site on ISPs spying on you prompted me to look up the "Investigatory powers Act 2016" and just who can access your internet connection records, without a warrant ... suffice it to say I was pretty surprised to learn that even the food standards agency can request your internet connection logs without a warrant...

Full list here


I hope this helps.
 
It's a dark day for privacy. How many people are going to have their internet history checked, be placed onto a watch list and subsequently then do something horrible without any intervention?

It's a real shame because it's sheer stupidity. It's pretty invasive but the solution is to register everyone's connection to their identity. Keeping logs of everything is just pointless, because we can still get unregistered PAYG connections. It compromises everyone's privacy for no reason with logs.
 
It's worth pointing out that by centralising DNS resolution like this and basically handing out data to the likes of Cloudflare and Google is also not ideal.

Somewhat less evil option would be 9.9.9.9 service which is similar, but run by a non-profit.

We're basically compromising the original and by excellence distributed system of DNS while at the same time giving said corporations even more power over us, it will in time lead to all sorts of abuses.

I do agree something needs to be done about ISPs cashing in on our DNS data or just downright lousy service leading to bad performance.

My preferred way of dealing with this which has so far proved OK is to run a local resolver. While general DNS traffic is still unencrypted (despite tech like DNSSEC, DNSCurve etc) it's still something worth doing. For example:

Also, another good way of sorting the problem is by using a VPN to a VPS and terminating your DNS resolution there. Some VPSes are so cheap nowadays, about the same price as a VPN. Of course, there's the overhead of managing it yourself, so this is only an option if you're technical enough.
 
Sponsored Links
It's worth pointing out that by centralising DNS resolution like this and basically handing out data to the likes of Cloudflare and Google is also not ideal.

Somewhat less evil option would be 9.9.9.9 service which is similar, but run by a non-profit.

We're basically compromising the original and by excellence distributed system of DNS while at the same time giving said corporations even more power over us, it will in time lead to all sorts of abuses.

I do agree something needs to be done about ISPs cashing in on our DNS data or just downright lousy service leading to bad performance.

My preferred way of dealing with this which has so far proved OK is to run a local resolver. While general DNS traffic is still unencrypted (despite tech like DNSSEC, DNSCurve etc) it's still something worth doing. For example:

Also, another good way of sorting the problem is by using a VPN to a VPS and terminating your DNS resolution there. Some VPSes are so cheap nowadays, about the same price as a VPN. Of course, there's the overhead of managing it yourself, so this is only an option if you're technical enough.

I did kinda mean it as a guide for what to do when your VPN provider insists on forcing you to use their own DNS. My VPN doesn't have an option to customise the DNS settings or chose your own , it's literally nope, force you to use ours. They have their reasons for it I suppose.

I agree with you about giving these private companies your DNS data. Pretty sure that cloudflare isn't doing it out of the goodness of the hearts either. I use them because they're fast (independent test show that of the publicly available ones, they're the fastest) and also i've got almost all my sites running there.

There's really no perfect solution to this I guess.

Even running your own isn't going to work when you VPN using a public VPN provider. Of course if you run your own VPN then you can also run your own DNS but i'm using a commercial public VPN provider and wanted control over my DNS.
 
I have my router registered to 1.1.1.1. I used to use BT’s awful DNS until i got rid of my smart hub. I can agree that 1.1.1.1 is a lot faster but BT use DNS blocking for their safe search service so that no longer works. I just ended up setting up blocking settings in my router; shame cloudflare doesn’t offer anything like this as I like their service. If they added something like web filters etc I wouldn’t mind paying for it, better safe than sorry.
 
Sponsored Links
They do have a couple of filtering levels - I use these DNS servers to block adult sites for example:
  • 2606:4700:4700::1113
  • 2606:4700:4700::1003
  • 1.1.1.3
  • 1.0.0.3

Thanks for that. I wasn't even aware they offered that service and for free, I've changed my home LAN from 1.1.1.1 to those two now.

Edit: hmm does not appear to be blocking anything though, tested this on a VM that does NOT have DoH/DoT enabled.
 
Thanks for that. I wasn't even aware they offered that service and for free, I've changed my home LAN from 1.1.1.1 to those two now.

Edit: hmm does not appear to be blocking anything though, tested this on a VM that does NOT have DoH/DoT enabled.
I have this set on my pfSense router and it certainly blocks Pornhub etc. I do block outgoing port 53 though to stop browsers circumventing the DNS setting on the router.
 
I have this set on my pfSense router and it certainly blocks Pornhub etc. I do block outgoing port 53 though to stop browsers circumventing the DNS setting on the router.


Ok. I've now figured this out, at least on android.

I had "private DNS" set on our android devices which overrides pretty much anything you set either in chrome or anything else. It was being set to 1dot1dot1dot1.cloudflare-dns.com so that's why android wasn't blocking it.

As for why my VM works, still not figured that one out.
Blocking port 53 sounds like a good choice too, however I guess that's not going to work when operating systems start using DoH/DoT.
 
Last edited:
Sponsored Links
Top
Cheap BIG ISPs for 100Mbps+
Community Fibre UK ISP Logo
150Mbps
Gift: None
Virgin Media UK ISP Logo
Virgin Media £22.99
132Mbps
Gift: None
Vodafone UK ISP Logo
Vodafone £24.00 - 26.00
150Mbps
Gift: None
NOW UK ISP Logo
NOW £24.00
100Mbps
Gift: None
Plusnet UK ISP Logo
Plusnet £25.99
145Mbps
Gift: £50 Reward Card
Large Availability | View All
Cheapest ISPs for 100Mbps+
Gigaclear UK ISP Logo
Gigaclear £17.00
200Mbps
Gift: None
Community Fibre UK ISP Logo
150Mbps
Gift: None
Virgin Media UK ISP Logo
Virgin Media £22.99
132Mbps
Gift: None
Hey! Broadband UK ISP Logo
150Mbps
Gift: None
Youfibre UK ISP Logo
Youfibre £23.99
150Mbps
Gift: None
Large Availability | View All
Sponsored Links
The Top 15 Category Tags
  1. FTTP (6026)
  2. BT (3639)
  3. Politics (2721)
  4. Business (2439)
  5. Openreach (2405)
  6. Building Digital UK (2330)
  7. Mobile Broadband (2146)
  8. FTTC (2083)
  9. Statistics (1901)
  10. 4G (1816)
  11. Virgin Media (1764)
  12. Ofcom Regulation (1582)
  13. Fibre Optic (1467)
  14. Wireless Internet (1462)
  15. 5G (1407)
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms  ,  Privacy and Cookie Policy  ,  Links  ,  Website Rules