I'm looking for a VPN service but noticed that many use different solutions for dns. Some providers push google servers to the clients, while other services filter google servers. A few providers I found push a couple dns servers (either owned by provider, hoster, or even opendns), and some others push dedicated dns servers which can only be resolved within the vpn. Only one service I found supports dnscrypt. So here's my question, which solution is the best in terms of speed and privacy?
If your VPN provider gives their own DNS for the connection, I would just stay with that, they can see what you are doing anyways. If not, do not use Google, OpenDNS, or any other corporate DNS, pick one of these: http://www.wikileaks.org/wiki/Alternative_DNS Chaos Computer Club or the German Privacy Foundation are good choices
Thanks for the link krusty, i wonder why cisco and google servers are still on that list What would you do if the vpn service has dns servers, but which are not within the vpn network? For example there's a service that has vpn servers all over the world but only two dns servers in America and Europe, which means all dns queries will be routed from client to vpn exit and then unencrypted to dns server.
We are working on something cool to resolve this: https://www.bolehvpn.net/blog/2015/01/16/important-changes-to-our-dns-servers-for-bolehvpn/ DNSCrypt is not necessary with our setup.
I think use a local DNS with a huge database (extract from other DNS service by requesting and storing a big number of site) is the most secure way.
This is rolled out to almost all our servers. Just a few more that we are saving to teach our staff how to implement it
Will you add new countries to bolehvpn? Particularly, I'm thinking of Austria (ORF), Norway (NRK), Liechtenstein and Iceland.
http://wiki.opennicproject.org/Tier2 Martin 'd0wn' Albus' OpenNIC Servers are very reliable in my opinion.
Yes, I wondering what forum users think about the trustworthiness of OpenNIC. krustytheclown2 recommended Chaos Computer Club or the German Privacy Foundation, but if one is not in Germany that seems like it would slow down one's connection.
Thanks mirmir. So do you agree that Chaos Computer Club and the German Privacy Foundation are the best options? Also, I don't think I understand what you mean by "machines cache." You mean my system caches DNS addresses locally (on my computer) so mostly it's not connecting to the DNS server? (I use Linux, FYI). Just trying to understand better how a DNS server halfway around the world would not slowdown web pages loading.
Those are good, yes. But see https://www.wikileaks.org/wiki/Alternative_DNS for more. Yes, after working online for a while, your system has a local DNS cache for sites that you commonly access, so it only hits DNS server(s) for new stuff. Also, just being halfway around the world doesn't add more than 100 msec or so.
I see. Thanks for the explanation. Yes, that was the the link to more DNS servers I was looking at that's linked to above. That's where I got OpenNIC from. Any other services there you think are good?
Swiss Privacy Foundation has also 2 DNS Server (link is german): http://privacyfoundation.ch/de/service/server.html
Thanks. They must have some connection to the German Privacy Foundation, since they have the same logo and webpage design. There is a page in English with a little information about them: http://www.privacyfoundation.ch/en/association.html (most of the site is not translated though).
yes, swiss privacy foundation is a spinoff, the german privacy foundation e.v. has formally been dissolved since june 2013 (they still offer dns servers tho). vpn company proxy.sh has two public, dnscrypt capable ICANN/OpenNIC resolvers: Primary: dns1.proxy.sh or 146.185.134.104 (Netherlands, Amsterdam) Secondary: dns2.proxy.sh or 192.241.172.159 (U.S. New York)
Thanks for the futher thoughts navigat0r and noone_particular. The Wikileaks list includes OpenDNS and Google, so I suppose it depends what one is looking for. Wikileaks seems to only be concerned with issues of censorship, so they list DNS servers that don't filter sites (except for some malicious site filtering done by a couple of the services they list like OpenDNS). But Wikileaks does not seem to be conerned about privacy. Hence they list Google, OpenDNS, Comodo, who may have other motivations in providing DNS services.
