0

Question about IP address while using a VPN

Hello and good day folks, 

I have just started using nextDNS and so far I am very happy with how easy it is to set up everything. I am using a VPN and my primary motivation to hide my IP address to maintain privacy on the internet. 

The VPN works great and everytime I use any internet service, the IP address of the VPN is used instead of my own IP address. 

However, when I go to my nextDNS analytics dashboard, I only see my own IP addresses in the dashboard, and not the IP addresses of the VPN. Why is this the case? Is it because when I query the nextDNS nameservers, the request is sent via my network using some OS level dnslookup maybe and when I use a VPN to browse the internet the IP address of the VPN is used. 

I would like to understand more about how to maintain a healthy online privacy hygiene. 

Looking forward for your answers. 

4 replies

null
    • Martheen
    • 7 mths ago
    • Reported - view

    Depending on how you set up NextDNS, your VPN, and how your OS handles DNS traffic, it's possible for DNS traffic to ignore the VPN tunnel.

    If you set DoH in your browser, that should always use your VPN tunnel, though obviously this only covers browser traffic.

    Regardless of how you setup NextDNS, websites still can't figure out your IP when the VPN is active, but they can tell you're using NextDNS, and guess what filter list you're using. This would be useful to fingerprint you even when you're using incognito (otherwise they can just track you with cookies).

      • level0networker
      • 7 mths ago
      • Reported - view

       Thank you for your response. I have some follow up questions just to get my mental model right. 

      > Depending on how you set up NextDNS, your VPN, and how your OS handles DNS traffic, it's possible for DNS traffic to ignore the VPN tunnel.

      I am using tailscale to setup NextDNS. I setup nextDNS's ID as a nameserver and tailscale uses this nameservers globally for all the devices on my tailscale. ( this is their guide I follow)

      I also use tailscale's mullvad integration to connect to exit nodes which is how I am able to change my IPs.  (Here is their guide for using mullvad)

      > If you set DoH in your browser, that should always use your VPN tunnel, though obviously this only covers browser traffic.

      This brings me to my first question:

      1. Regarding DNS over HTTPS (DoH) and DNS over TLS (DoT), my setup currently shows NextDNS' IP addresses on browserleaks.com/dns for DNS servers. Does this mean my DNS queries are *not* effectively masked? I understand DoH uses HTTPS, so even the websites shouldn't be able to see any information about DNS queries.

      And my second question is:

      2. In my NextDNS analytics dashboard, should I be seeing the IP addresses of my VPN (Mullvad exit nodes) instead of my ISP-assigned IP?

      According to my understanding, I think yes, I should see the IP addresses of my VPNs and not the IP address that my ISP is assigning me given that I'm using a secure WireGuard tunnel to route all internet traffic through the VPN, I expect this to be the case.

      I look forward for your reply. 

      • Martheen
      • 7 mths ago
      • Reported - view

       

      even the websites shouldn't be able to see any information about DNS queries

      Regardless of unencrypted DNS, DoH, DoT, or DoQ, websites can still see plenty of information about DNS queries, that browserleak is literally a website and it can tell you're using NextDNS.

      The way those DNS test sites work, is they tell your browser to resolve a unique subdomain on the fly. Since this subdomain doesn't exist in any cache, your browser will send a query to NextDNS, and NextDNS in turn will send a query to the nameserver. The nameserver sees that request and knows the NextDNS IP since it has to send the reply to that IP.  DoH is only used between your PC and NextDNS, so your ISP and your VPN don't see what unique subdomain you're querying, though they *still* see unique domain you're *visiting* since SNI still expose them anyway (SNI isn't exposed to your ISP when you're using VPN).

      It appears that your setup send unencrypted DNS queries to NextDNS IPv6 address, which for some reason Tailscale doesn't send to the Mullvad exit node, contact Tailscale to clarify if it's an intended feature or a bug. In this situation, your ISP sees your DNS queries & responses (and can even modify it)

    • level0networker
    • 7 mths ago
    • Reported - view

    Thanks, I will reach out to tailscale and understand why my dns queries are not forwarded to my exit nodes, which can be a feature more than a bug. 

Login to reply

Content aside

  • 7 mths agoLast active
  • 4Replies
  • 349Views
  • 2 Following