Using a Custom DNS (NextDNS) Alongside Your VPN
How to utilize NextDNS alongside your VPN for a combination of two powerful privacy and security tools.
The last couple videos on Techlore have experimented with using a custom DNS provider, specifically NextDNS, alongside various VPN providers. I’ll be summarizing the core takeaways for this blog.
First, let’s set the stage. We recently covered VPNs and what they do and don’t do, and what it boils down to is they:
Thanks for reading Techlore Dispatch! Subscribe for free to receive new posts and support my work.
Transfer trust away from your internet service provider(s) to a (hopefully) more trusted party
Give you a small layer of privacy by hiding your IP address across websites
That’s about it. They’re nice tools, but are not something that will instantly make you super private or secure. With that said, I personally can’t imagine not using a VPN, given there’s no other easy & convenient way to deal with my ISPs snooping on my web traffic. (Tor is generally inconvenient to run system-wide, day-to-day)
Second, there are DNS blocklists. Every device you own connects to a DNS, which is likely your ISPs. (unless you actively changed it) Most VPNs have their own DNS they automatically use when you connect to the VPN server, which is generally what you want to use, as your VPN is (hopefully) one you trust that will safely handle your DNS requests. Some providers are beginning to roll out DNS blocklists, which actively block ad/malware/tracking and other domains through DNS. You can enable this on any of the main 4 VPNs we recommend, which all have their own version of this feature. (Windscribe, ProtonVPN, Mullvad, & IVPN)
But, I don’t love this. These default blocklists are set in stone with little to no configuration options (maybe with the exception of ROBERT on Windscribe, which is still fairly limited) - so I went on a hunt for a better situation which gives me more power & control.
Where it led was NextDNS. There are a multitude of security features that come along with using it, and the privacy perks are even cooler - enabling you to have a personalized layer of protection on all devices. Just a small number of features to outline are you can block native telemetry domains contacted by Windows/MacOS, set custom blocklists that can block anything (mobile ads, NSA servers, Google, etc.), a series of ‘parental’ controls (not sure why all features designed for boundaries around device usage are classified as ‘parental controls’ but okay), and that’s just the tip of the iceberg, there are endless possibilities with this tool!
However, using NextDNS alongside my VPN on all operating systems proved to be problematic - particularly because documentation was so poor across VPN providers, so I went on a hunt to see what services are best at natively supporting this feature across their clients, without needing to use NextDNS IPV4 address linking, which isn’t ideal for most people’s use of VPNs.
To put it simply, I was looking for VPN providers that natively supported custom IPV6 DNS addresses, or ideally DoH/DoT across a majority (or all) of their clients.
Where did it lead? Put simply: Mullvad & IVPN
With Mullvad, you can input your NextDNS IPV6 address as your custom DNS address, then enable the following IPV6 option to use NextDNS alongside Mullvad natively inside their clients. On Android, you can lean on Android’s native Private DNS feature to use DoT alongside Mullvad. (Or use IPV6 inside the Mullvad client, though I’d recommend DoT via Android’s native system setting)
With IVPN, you can input your DoH/DoT NextDNS URL natively into their clients, with the exception of Android where you have to rely on Android’s Private DNS offering to use DoT.
To outline, I would comfortably say that IVPN beats out Mullvad in this realm, since for most people - DoH/DoT support is stronger than IPV6 from a privacy & security angle.
Some users have expressed that there are ways to add custom DoH addresses within Windows & Linux alongside the VPN, but I have not tested this myself, nor is there any VPN that documents this to be possible.
Okay Henry this is super techy, what does this all mean?
What this means is that through IVPN (preferred because of DoH/DoT) or Mullvad - you can natively combine the perks of using a VPN with the perks of using a tool like NextDNS. All it takes is pasting your NextDNS DoH/DoT/IPV6 address into each respective VPN client. Through this configuration:
You are protecting your IP address and transferring trust from your ISP to one of the most private, open source VPN providers on the market (IVPN & Mullvad) - neither of which even require an email to register for. Additionally, you are gaining access to the incredible protection of NextDNS, which means that all websites, apps & devices are all being funneled through a firewall that is actively blocking anything you want it to, with an endless amount of customization for the most noob, or most advanced users.
Should I do this?
Totally your call. If you’re happy with the blocklists provided by your VPN provider (if any) - then sure, just stick with your native VPN provider’s DNS. Personally, I wanted something more thorough that gave me better control over my web traffic that no VPNs were natively providing.
A few things:
You are opening yourself up to another party to trust. While NextDNS has a solid reputation, you are now having to trust both your VPN and DNS provider independently with your web traffic. I don’t find this to be a massive risk, but definitely ensure NextDNS fits your safety requirements before choosing to use them.
Sites can theoretically try to “de-anonymize” VPN users by recognizing users have a custom DNS configuration despite sharing the same IP address with other users of the same VPN. My response to this is: There are a MILLION other ways to ‘de-anonymize’ VPN users, almost all of which work independently of whichever DNS you choose to use - even the VPN’s native DNS. If fingerprinting is a concern of yours, Tor and other more robust tools are what you should be using. This doesn’t seem like a real concern for the average VPN user, but is still a question you should personally reflect on for yourself.
NextDNS is free up to 300k requests per month. I don’t hit the max so I am using it for free, but perhaps you may need to pay for it. If that’s the case, then there’s the natural drawback of needing to spend $.
A Word on VPN Documentation
This journey was ridiculous. I put out my first video that over-relied on things I read online, much of which ended up not being completely accurate.
For example, Mullvad directly says on their website they do not support custom DNS on iOS:
Guess what? They do support custom DNS on iOS. So the first-party website is incorrect.
Let me summarize the extent of each provider’s documentation:
Windscribe has a post on DNS, which only refers to desktop clients, and doesn’t specify what options are given for Custom DNS. (IPV4/IPV6/DoH/DoT) So there is no easy way for a user to know if they can use a custom DNS provider alongside Windscribe when shopping for a VPN.
ProtonVPN simply has no documentation anywhere (that I could find) on custom DNS, despite it being a feature they support natively on two of their clients via IPV4. (Windows & Linux) So there is no easy way for a user to know if they can use a custom DNS provider alongside ProtonVPN when shopping for a VPN.
Mullvad has a blog post covering the release of Custom DNS - which is outdated (still says there is no iOS support, which it likely didn’t have at the time), but nowhere does it directly specify what options for custom DNS are given across its clients. All that is stated is: “Encrypted DNS is something entirely different and isn’t supported in the app.” - so it’s safe for us to count out DoH/DoT natively inside Mullvad. But what about Android, where this is easily supported alongside Mullvad? Nowhere does it list that they support IPV6 addresses. And if you trust the Mullvad website, you may be under the impression that custom DNS is still not supported on iOS - which is not true! So there is no easy way for a user to know if they can use a custom DNS provider alongside Mullvad when shopping for a VPN.
IVPN has the best documentation of these four providers, with a dedicated support article on the topic. But again, it (was!) lacking. Previously, it was unclear what methods of custom DNS were supported across their clients - making it challenging to know what clients you can easily use NextDNS alongside IVPN. After releasing our videos, it seems they have updated their documentation to properly outline this information - so yay! 🎉
Take notes VPN providers: What IVPN has done is exactly how this feature should be documented, clearly outlining what is/isn’t supported on each client - down to the method of custom DNS supported.
Want to watch the videos?
The first video
Several mistakes are made in this video that are corrected in the second video
The second video
Some corrections in the second video:
IVPN updated their documentation to be clearer! https://www.ivpn.net/knowledgebase/general/custom-dns/
Android is actually using DoT, NOT DoH. Though for the purposes of this video this shouldn't impact the takeaways or general concepts.
NextDNS has an open source CLI tool, though their native clients don't appear to be open source. With that said, we're not trying to use the native clients & I'm not concerned with the server being open source since there's no way for us to verify they're running that code anyway. But definitely a correction for people who desire more of these things.
Linux & Windows have native DoH options that *may* work with some of these VPNs. (Didn't test this myself)
Thank you to people who are sharing more information regarding this situation. I'm learning more from comments on YouTube than from service's themself, which is really my core complaint here.
Thanks for reading Techlore Dispatch! Subscribe for free to receive new posts and support my work.