Using unbound DNS > public DNS provider as well as a VPN?

Started by P195, March 07, 2025, 05:59:41 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 07, 2025, 05:59:41 PM
Hi All,

I've been doing a bit of research to understand DNS and about how to use unbound recursive DNS in conjunction with a public DNS resolver such as Quad9 / Cloudflare. Seems like a far better choice than to use the ISP's DNS and also allows me to encrypt the connection between unbound and the public DNS service using DoT or DoH.

The question I have is, can I / should I still implement this if I plan on using a VPN connection sometimes (either on the router or on the clients)? I've read that this can actually degrade security and privacy by making DNS leaks more likely.

If I did implement this would OPNsense use unbound>Q9/CF when not using the VPN and then switch to the VPN's DNS service when connected to the VPN? Would that be the best approach? And..would that depend on if the VPN service was hosted on the router or not?

How should DNS be handled both when using a VPN and when not?

Any help is much appreciated!
March 07, 2025, 06:14:51 PM #1
Quote from: P195 on March 07, 2025, 05:59:41 PMThe question I have is, can I / should I still implement this if I plan on using a VPN connection sometimes (either on the router or on the clients)? I've read that this can actually degrade security and privacy by making DNS leaks more likely
Just route the DNS requests over the VPN to avoid leaks.
March 07, 2025, 06:16:54 PM #2
Hello,

Thanks, so basically you mean just use VPN permanently for all network traffic and use their DNS always?
March 07, 2025, 06:30:07 PM #3
Not necessarily, but it depends on the VPN. You didn't mention, which.

When using OpenVPN, you can add the DNS server to the "remote networks" in the settings. Then it is only routed to the VPN server if you're connected.
With Wireguard this is not possible as far as I know.
And you cannot use a static route, since the DNS would not be reachable, when you're disconnected. As its best you can policy route DNS the traffic using a gateway group with the VPN as highest prio.
March 07, 2025, 07:54:42 PM #4
Thanks, I was thinking Mullvad + Wireguard. At the moment I was just considering if it would make sense to setup unbound with public DNS provider if I will be using a VPN with either Wireguard or OpenVPN in the near future.
Print
Go Up Pages1
User actions