0

Using NextDNS Private DNS with VPN - does it work?

Hi there, I want to use a VPN like Mullvad but keep using NextDNS. This is on an Android 11 Phone and a Mac 10.15. I know it is not possible for both to use the one VPN slot. I have seen lots of (for me) too complicated explanations for how to nevertheless use both at the same time. As far as I can see, a simple way is to add my NextDNS profile (xxxxxx.dns.nextdns.io) as the Private DNS on my phone and add the NextDNS server addresses (eg 45.90.28.100) as the DNS addresses on the Mac. This seems to work, the logs show NextDNS working with both devices and it is very simple but I am suspecting there is a problem partly because it seems so much easier than the other methods suggested and because I have seen no-one else suggesting this method. Are these two configurations using my NextDNS blocklists (which is what I want) or just connecting via NextDNS? The logs seem to show they are doing the former. Are there any security issues, eg some of the logs do not show a padlock sign by the log which is what I am used to seeing. Is this because it is via HTTPs not TLS?. In short, given the simplicity of this solution and lack of people suggesting this method, does this work for combining a VPN with NextDNS on Android phone and Mac and allowing the NextDNS blocklists to be used. I have above average capability with techy stuff but not enough to understand the other solutions I have seen. Thanks for any advice!

28replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • You cannot run two VPNs at the same time.

    So use the private DNS settings instead of the nextdns app (which creates VPN) and your VPN of your choice.

    However it is possible to run two VPNs at the same time but one must be in the safe folder so you can run your Mullvad that affect only the apps that are in that folder that only in cases you need another VPN or to apply the VPN on certain apps.

    So activate the safe folder and add the apps you like. This folder is like a second account...

    The private DNS from my experience overrides every other DNS VPN exist.

    I have Samsung Android 11

    Like
      • Luke
      • Lukemb64
      • 6 mths ago
      • Reported - view

      Sonos Kronos Hi, thanks, yes I know you can't run two VPNs at the same time, so using private DNS seems to make it work for me, this is what I was saying. Thanks for your feedback!

      Like
    • Luke 

      Have in mind that every time your internet provider chance your real ip address (see as linked ip in the settings) the nextDNS resolver 45.90.28.100 will not be able to marching your nextdns id hence no filtering apply.

      Like
      • Luke
      • Lukemb64
      • 6 mths ago
      • Reported - view

      Sonos Kronos I don't personally change the VPN server often but when I do the linked IP changes and I have to renew it. Which I don't mind as it is occasional. Does this sound Ok? Have I understood you right?

      Like
    • Luke

      Your internet provider change periodically the IP address not YOU because your connection is not static. (googling static vs dynamic internet connection)

      Like
      • Luke
      • Lukemb64
      • 6 mths ago
      • Reported - view

      Sonos Kronos oh ok. Yes I meant when I change the server that I am using via Mullvad. I didn't realise my own ISP would still be relevant if I am using Mullvad. Thanks for your advice.

      Like
  • I don't have a Mac, but I use NextDNS via my Pixel's Private DNS setting and it works great with my VPN Unlimited on that device.  All my queries are routed through NextDNS and I can see them in the logs.  NextDNS also works this way on my Win10 laptops with both VPN Unlimited and Windscribe vpn .  Haven't tested with Proton VPN yet.   

    Like
      • Luke
      • Lukemb64
      • 6 mths ago
      • Reported - view

      Roger Wright yes, works for me too, as mentioned, thanks for the feedback!

      Like
  • Yes, it's possible. I can only speak for iOS and Mac though. You can take a look at this guide. It involves using apps that allow you to set custom DNS, like Viscosity and Passepartout. 

    You can't use the NextDNS IPv4 IP on Mac, the VPN will override it. Also, this will lose your configuration ID every time you receive a new IP from your ISP. 

    You could try the IPv6 DNS IP on Mac, but again, most VPN connections will override this, unless you specifically use apps like Viscosity, which can use custom IPv6 DNS, or Passepartout, which can use custom DoH DNS (and more). 

    In case of Mullvad, they mention custom DNS as an option, as long as it's not DoH/DoT. This means you could try putting the NextDNS IPv6 IP directly into the Mullvad app and test what is shown on browserleaks.

    Like
      • Luke
      • Lukemb64
      • 6 mths ago
      • 1
      • Reported - view

      Chris Thanks Chris, actually it's all working fine, except I have to renew the IP address on NextDNS when I change VPN servers but that's OK. Your info is really useful though as it helps me to understand it better. Cheers!

      Like 1
      • Luke
      • Lukemb64
      • 6 mths ago
      • 1
      • Reported - view

      Chris actually I realise that your guide is something I read before and it helped me work it out. I'm on a Mac. Thanks for that!

      Like 1
      • Chris
      • Chris.6
      • 6 mths ago
      • Reported - view

      Luke no problem.

      That probably means your DNS provider is leaking DNS and not pushing its own VPN DNS though, which might reveal your real ISP's DNS too (which you changed to NextDNS now). With most VPNs, the manual Mac DNS setting will be overriden, so that actually seems like a bug in the app you are using. 

      That said, you could try using the IPv6 NextDNS IP instead of the IPv4 in the Mac's network settings. You wouldn't have to constantly renew the IP binding this way. Or, better yet, you could use Mullvad's own custom DNS in the desktop app, as mentioned in their blog post.

      Like
      • Luke
      • Lukemb64
      • 6 mths ago
      • Reported - view

      Chris I don't understand all this but I am using the custom dns facility with Mullvad and the browser leaks test shows the DNS of the Mullvad server. Does that sound ok? I am wondering whether I'd be better off using Mullvad's own blocking if there are problems with using NextDNS. Appreciate your help.

      Like
      • Chris
      • Chris.6
      • 6 mths ago
      • 1
      • Reported - view

      Luke No problem, let's go back to the beginning (if you want). 

      You mentioned that you changed your Mac DNS. This is usally done in network preferences. Above, you are saying that you changed it in the Mullvad app. It is a bit unclear what you actually did. Could you provide some screenshots of the changes you made (in the Mullvad app)? 

      If the leak test shows the DNS of the Mullvad server, then no, you are not using NexDNS at all.

      Like 1
      • Luke
      • Lukemb64
      • 6 mths ago
      • Reported - view

      Chris sorry for being confusing! I'm sorry, the leak shows the NextDNS server, my mistake, and the NextDNS logs show it is working. I'll get back on the rest in a clearer manner. Thanks for your patience and advice.

      Like
      • Luke
      • Lukemb64
      • 6 mths ago
      • Reported - view

      Chris Here are the relevant screenshots. I don't know if the Mac needs to be set to the NextDNS servers if Mullvad is. This leak report gives an address I don't understand. Any advice welcome, appreciate you giving me your time.

      Like
      • Chris
      • Chris.6
      • 6 mths ago
      • 1
      • Reported - view

      Luke Alright, thanks for the screenshots. I understand what you did now. The Mac DNS is populated by the Mullvad app by using its custom DNS feature. That's ok and similar to the solutions one would use with other apps.

      The leaking DNS servers box seems to be a feature from the Mullvad site, which just means that Mullvad thinks you're leaking DNS, because you are not using Mullvad's pushed VPN DNS. This is to be expected since you want to use NextDNS. The "leak" isn't really a leak in this case.

      Here is what I would suggest you try, to get around the limitations of using IPv4 (having to link your IP every day or when ISP changes it, since it is not static):

      In the Mullvad app, remove 45.90.28.225 and 45.90.30.225 as the custom DNS servers and enter the NextDNS IPv6 DNS servers. You will find them in the setup tab of your NextDNS profile. Just copy both lines and paste them into Mullvad. (The redacted part is the profile configuration, which is personal to every user, don't post a screenshot of that number.)

       

      Then go to https://browserleaks.com/dns and see if Misaka Network or other NextDNS associated DNS shows up. Feel free to post a screenshot of that if unsure.

      Like 1
      • Luke
      • Lukemb64
      • 6 mths ago
      • Reported - view

      Chris thanks, I'll give that a go and report back!

      Like
      • Luke
      • Lukemb64
      • 6 mths ago
      • Reported - view

      Chris NextDNS says my device does not support IPv6. My Osx is Catalina. When I try to enter the IPv6 DNS server addresses on Mullvad they are not accepted. For now I have gone to using Mullvad's in-house blocker lists instead of NextDNS but the latter would be better as they seem fuller to me. Any advice welcome!

      Like
      • Chris
      • Chris.6
      • 6 mths ago
      • 1
      • Reported - view

      Luke Ok, that's weird. According to Apple, Catalina supports IPv6.

      If Mullvad doesn't accept IPv6 entries, you could go back to IPv4, but you'd have to refresh the IP link every day. 

      Otherwise, you could try out the Passepartout app as in my guide.  It supports Mullvad. However, Mullvad seems to be a bit of a special case  according to this

      It looks like Mullvad “hijacks” DNS on default endpoints, making custom DNS settings irrelevant. In order to do custom DNS with Mullvad, make sure to explicitly pick the “Custom DNS” preset, which will let you connect to the UDP:1400 and TCP:1401 endpoints. These endpoints do support custom DNS servers instead.

      But it does work according to the developer. You just have pick a different preset in the Passepartout app. 

      Probably self-explanatory once you install it. If you want to try that and get stuck, feel free to follow up here. 

      Like 1
      • Luke
      • Lukemb64
      • 6 mths ago
      • Reported - view

      Chris yeah it is weird, When it says my device does not support it I assume it means the Mac. For now I think I'll stick with the Mullvad in-house blockers on the Mac. On Android it all works fine. Then maybe I'll come back and look at it again.

      Like
      • Luke
      • Lukemb64
      • 6 mths ago
      • Reported - view

      Chris Someone said something about adding 127.0.0.1 as a DNS address somewhere. I wonder also if the DNS addresses on the Mac being the NextDNS' ones are an issue and they should be my actual ISP ones. Just guessing.

      Like
      • Chris
      • Chris.6
      • 6 mths ago
      • 1
      • Reported - view

      Luke From what I tried in the past I can only say that using a third party client like Passepartout was the easiest way to combine VPN and NextDNS. Takes less than 10 minutes to set up usually. Much easier than anything you probably did so far. If you want to get back to this at some point, let me know. 

      Like 1
      • Chris
      • Chris.6
      • 6 mths ago
      • 1
      • Reported - view

      Luke 

      I wonder also if the DNS addresses on the Mac being the NextDNS' ones are an issue and they should be my actual ISP ones. Just guessing.

      Not really an issue. You can just delete them and the Mac will revert to the ISP DNS. 

      Like 1
      • Luke
      • Lukemb64
      • 6 mths ago
      • Reported - view

      Chris thanks, will check it out!

      Like
      • Luke
      • Lukemb64
      • 6 mths ago
      • Reported - view

      Chris It seems my ISP has not deployed IPv6 yet.

      Like
      • Chris
      • Chris.6
      • 6 mths ago
      • 1
      • Reported - view

      Luke Someone with more knowledge would have to chime in what that means. My guess would have been that it doesn't matter, because you are not trying to use your ISP DNS. 

      Like 1
      • Luke
      • Lukemb64
      • 6 mths ago
      • Reported - view

      Chris thanks!

      Like
Like Follow
  • 6 mths agoLast active
  • 28Replies
  • 1182Views
  • 4 Following