VPN and DNS servers

This might seem like a stupid question, but after a bit of internet searching, I couldn't really come up with a satisfying answer.

I've been using a paid VPN for a couple of months now, it was cheap enough and I thought I'd give it a try. After getting into a conversation with two people I know about anonymity online, they just shrugged when I mentioned a VPN and said they change their DNS servers. Am I totally wrong in thinking that these two options don't really do the same things at all?

No your not wrong. They don't do the same thing at all.

A Vpn encrypts your traffic, Along with giving you a different IP address.

Changing your DNS Does not do either of those.

But when useing a VPN You don't want any DNS leaks to your ISP's DNS.

To remain Anonymous all the time is practically impossible. Changing your DNS to something like Google's (8.8.8.8 and 8.8.4.4) will only help ever so slightly. Although it's probably best that you do because your DNS requests won't be processed by your ISP's DNS service.

Check if your DNS is utilizing your ISP's service here:

https://www.dnsleaktest.com/

So just make sure I'm understanding. To be anonymous it is best to use a VPN and change your DNS to something like Google's? I haven't looked this up but do some VPN providers offer a DNS service? It seems to negate having a VPN if you don't change your DNS address if this is the case.

From my experience I think that most VPN providers don't provide DNS services. The best solution, in my opinion, for DNS is to use something like DNScrypt with some OpenNIC servers.

If you use a VPN, and it's working properly, then your dns traffic will ignore your configured dns servers and instead go through the VPN tunnel and use whatever dns server is configured in your VPN client.

Dns has nothing to do with anonymity or privacy, even if you change your dns server your ISP can still see your dns queries and even if you used an encrypted dns service they can still tell what you're doing by your other traffic. A VPN encrypts all your traffic so no one looking can see what you're doing.

The reason to change your dns server to something other than your ISP is that some isps can use their dns servers to block certain domains so changing your dns server avoids some censorship. Although it is possible for your ISP to intercept dns traffic and modify it without you using their servers so a VPN is a better sollution to getting around censorship too.

So bottom line is to just use a correctly configured VPN? Sounds good to me. What's a good VPN these days? Is PIA still Tek Syndicates go to VPN? I know they had promoted it at one point.

I use torguard and haven't had any desire to switch. I've heard that purevpn is pretty good too.

This is a good guide from a privacy perspective:

1 Like

DNS leaks are a big problem as far as I know. Your own VPN provider even has a page on it here. Encrypted DNS isn't usually necessary, it's just the best scenario. OpenNIC is pretty concerned about privacy and censorship, so I would recommend them if you need a static DNS service.

Yeah, I agree. That's what I meant by working properly, but it is important to test that all the traffic you expect to use the tunnel actually is. It's a good idea to run these sorts of tests or even just run wireshark and see for yourself.

I use dnscrypt in addition to the VPN because one of the VPN servers I use uses opendns to block some sites and also because I want to make sure that my dns traffic isn't being altered between me and a dns server that I trust. DNSSEC is a better solution to this but unfortunately isn't widely used yet and probably never will be.

Cool! If you really want to get in depth I found this article that explains how to use OpenNIC with DNScrypt and even route DNS queries through TOR or I2P. It's a pretty specific use case, but some people might be up for it.

You probably don't want to get too carried away with DNS as performance is still important. Ultimately without DNSSEC no matter how much encryption you use or where you route your DNS queries you're still relying on whichever server you're using giving correct and reliable results.

You could also run your own DNS resolver and either have it send it's queries though a VPN or set it up on a VPS and connect to it via a VPN or dnscrypt. I think resolver's are still vulnerable to cache poisoning but at least you know the server isn't giving you dodgy results.