N00b question regarding name servers

New here, long time viewer of the Level1News

Recently I ran into some problems with my pop_os install where it’s name servers got f00ked and since I now need to fix my name server situation, that made me think and left me wanting in knowledge on the subject, so I have a few questions to the clever people I am convinced hide in here.

When you use a VPN does it change the name server? I am thinking it uses the systems initial name server for the initial connection and the switches to the VPN? Yes?

A name server doesn’t seem like a thing that you would want to be static, if one fails you would want another to take over. It even seems to me that you for privacy reasons would want it to be random selected form a very long list of reliable servers or is my thinking flawed?

Any and all insights regarding the above would be greatly appreciated. If someone knows of some great blog posts on the subject, that they can share, I would love to walk away a smarter person

Thanks in advance

This should depend on your VPN configuration. But as far as I am aware most VPN providers normally force their own DNS! How the switching on your end looks like and if the VPN client e.g. OpenVPN can force a DNS change depends on the program you use for your DNS settings. I know that there are settings in systemd-resolved that can hinder the VPN client to force its own DNS settings.

In generals yes, there should be fallback DNS servers listed in case the primary DNS servers are not reachable. For example on my computer /etc/resolved refers to nameserver 127.0.0.53 to resolve DNS queries. 127.0.0.53 is the address of my local systemd-resolved instanance. Systemd-resolved in turn refers to the settings in /etc/systemd/resolved.confto resolve queries. This file could contain something like this, where you can list any number of remote DNS servers.

[...]
DNS=8.8.8.8 8.8.4.4
FallbackDNS=1.1.1.1 9.9.9.10
[...]

I do not know what setup PopOS uses, but to get an overview of how this works I encourage you to have a look at the Arch Wiki page about name resolution.

https://wiki.archlinux.org/title/Domain_name_resolution

When I have newbie-questions, I always like to hear how “it’s actually done”, maybe even different versions from multiple people. So I want to elaborate a little bit on the good answer by Sapiens (arch wiki solves almost always all)

Forcing usage of the VPNs DNS servers is a feature that some providers and/or clients bring with them. You will find a toggle in the client, or a line like dhcp-option DNS 10.11.12.13 in your .ovpn config if that is the case. You can test its effectiveness with a service like https://ipleak.net/, which is provided by AirVPN, an italian company that promotes net neutrality, privacy and defense against censorship.
That’s usually a means to enable VPN clients (like employees that are in the field) to find internal network services via their hostname, like dashboard.mycompany.local or printer3mainoffice, which is only known to the DNS servers in that specific local area network and only accessible via LAN. If you don’t need that functionality, the DNS setting is not touched, as you suppose that your device in Baghdad is configured to a more performant DNS-server than your server from '98 that sits in Nebraska.
If you trust your VPN provider to be the single 3rd party entity that sees all your network activity, and could potentially log everything, linking to you as a legal person, you can also use that feature to encrypt any traffic, including DNS queries, hiding it from your ISP and whatever DNS you usually use, like Google or Cloudflare.

As Sapiens wrote, you can manipulate your DNS server settings. Since you are on Pop!_OS, which uses GNOME (as do I), you can tweak those settings easily per connection in the Network Manager GUI.
But I would not do that. It’s far too cumbersome. You will forget you tweaked that setting, forget to set it on your other network adapters or new clients, maybe you get an error some time and don’t think of this tweak as a potential cause. It is an unnecessary potential for problems.
Correct me if I am wrong: Practically and usually, DNS settings are set on a network-level basis. Only very special edge-cases could warrant the overhead of specific DNS settings on a per-client-basis. And even that I would configure on the network equipment, with a special rule for this MAC-device-client or something, so it’s all in one place.

You can fiddle around with stuff like GRC | DNS Nameserver Spoofability Test  , or see to it that any DNS queries leaving your local area network are TLS-encrypted, nothing is (geo-)censored, and you have the best performance possible to satisfy your concerns. There are many knobs you can turn. But you can not trust any external provider to not log your activities and use that data against you, you can not trust any external service to always be the same, e.g. uncensored. A server from an elite group called privacy-knights can be hacked and used against you by russian hackers. There is no way to do it “right”, and transparently so, except to do it yourself 100%. That way you could realize your very good idea of a big list of reliable, fast and maybe even kind of trustworthy DNS servers, which are randomly queried, to serve your actual DNS requests from local network clients.

I would describe myself as very privacy-conscious. My network clients use the gateway for DNS and my gateway devices have something OpenDNS, Quad9 or a mixture of some smaller, privacy-focussed providers from lists like Best Free & Public DNS Servers List or articles like https://www.privacy-handbuch.de/handbuch_93d.htm which are almost always outdated.
So in short summary, for everyday network traffic I rely on the big but not biggest players and when I want something to be private it gets special treatment. That’s my compromise for being yet too lazy to build my own local DNS infrastructure.

Like many other topics about values that don’t earn anybody money, like privacy, and are not as popular as they should be (“I never even noticed that they collect data about me, nor do I care”), it comes down to finding and setting a limit to your expenses on this particular endeavor, when it is good enough for you.

Welcome to the forum @AnotherDude and welcome back @ciscam!

Just something to add, that if your DNS is on another network than your device connected to the VPN, then you will not be able to communicate with it.

As Sapiens and ciscam said, VPNs usually overwrite your DNS settings on the client. Systemd may interfere with that and it’s the only place where I had issues with DNS using Wireguard (on Fedora), even Windows respected my DNS settings from wg.

The thing about DNS, as ciscam mentioned, is that it can be a potential issue for privacy. A VPN client most of the time needs to overwrite your local DNS, because the original point of a VPN was to connect 2 networks together over an insecure channel (like the Internet). So, when using a VPN client, it is assumed that your “primary” network will be the one at the end of the VPN tunnel, like say for example that there is your workplace’s email server and intranet services. If your DNS doesn’t get overwritten, people would have to manually set the DNS to the one internal to the workplace.

If you have local services on the LAN you are connected to in order to access the VPN, you need other methods to reach them, like adding entries to your computer’s hosts file (/etc/hosts in Linux), which is always queried before DNS.

Now, say that you want to access Netflix US from Europe through a VPN. You connect to a VPN server from the US. Netflix has multiple servers around the world, so depending on where you connect from, it will access the closest one. If you were to use your local DNS on your LAN in order to query netflixDOTcom, it will give you the IP address of the European server, because your local router / DNS server isn’t going through the VPN. But VPN clients overwrite your DNS settings in your PC, so instead, you will use a VSP’s DNS server, so you will be given the IP address of netflixDOTcom US server, which is the desired result.

One last thing to note: if there is an issue with the DNS server being overwritten and your PC is using the local DNS, if the DNS is on another network than your local one to your PC, you won’t get DNS at all. For example, if your DNS server is on the network 192.168.4.0/24 and the PC is on the network 192.168.6.0/24, then when you connect to the VPN, you won’t be able to reach your local DNS anymore, because all traffic except 192.168.6.0/24 will be sent through the VPN tunnel and the end of the tunnel doesn’t know where 192.168.4.0/24 is. Usually this is not an issue, because home routers serve the function of a DNS, so your gateway 192.168.6.1 will also act as DNS, thus receiving DNS queries. But this can be a bad thing for privacy if your DNS settings don’t get overwritten though.

Hope that clears things up a bit (or maybe I just didn’t understand the questions asked).

Name servers are configurable via dhcp IP assignment.

So it depends what was configured. If it’s a corporate VPN you might want to configure different DNS servers so that internal private network only host names can be resolved.

A company’s internal and external dns will look very different (either split brain or more likely entirely different servers and zone files).

In theory (and done practically) yes people use secondary DNS for fallback. But certainly not giant lists.

Google has a incident page

• January 2021 3h 22 minutes
• September 2019 5h 11 minutes

That is the entier list (and I do totally believe them since I have never experienced it being dead, missed both of those). So basically it’s a very minor issue if those few hours every few years don’t cost you thouthands of dollars.

Gonna be a similar story for cloudflare.

Your ISPs DNS should also be a safe bet for reliability. Since if it’s dead who knows if you even have internet at this point a fallback may not even help you out.

For privacy giant lists don’t help either you need to route your DNS traffic threw the VPN.

Major public DNS servers aren’t just one server. They are clusters of servers, possibly spread across the world: Anycast - Wikipedia
You may be talking to a different DNS server with each query.

It’s common to have 2-3 DNS servers configured on the client. But for that to help, you really want DNS servers from completely different providers.

Most people use their ISP’s DNS servers, and using other DNS servers won’t prevent your ISP from knowing what sites you’re visiting, so no improvement there.

such great answers, thanks a bunch guys. I really appreciate the time you have taken to help me get smarter. I will go on a deep dive in each of your answers and then return, with the questions that your answers, probably made me think of, when I have read and hopefully understood all of them and looked at the referenced material.

Thanks a ton I really appreciate you taking the time to help.