I found an easy to use DNS Leak Test site. Is it any good? My Privacy Network https://www.my-private-network.co.uk/dns-leak-test/ I like that it's truthful not scaring you into buying their VPN service.
I don't think so. I'm getting the result the site says I should. Except it says Cloudfare instead of My Private Network for the Provider.
It works fine for me. Browser on Windows prints that I use my ISP DNS - true. Browser on OpenBSD prints that I use OpenDNS servers - true. My OpenBSD config: Code: $ grep nameserver /etc/resolv.conf nameserver 127.0.0.1 $ grep -v '^#' /var/unbound/etc/unbound.conf | grep forward-addr forward-addr: 127.0.0.1@40 $ grep '^daemon_flags' /etc/rc.d/dnscrypt_proxy_one daemon_flags="-d --user=_dnscrypt-proxy -R cisco --local-address=127.0.0.1:40 -T -E"
It seems Unbound has built-in support for DNS over TLS. It only needs to be configured correctly. Code: $ grep -v '^#' /var/unbound/etc/unbound.conf | grep forward-addr forward-addr: 1.1.1.1@853
@mirimir Am I secure using the free cloudflare DNS servers 1.1.1.1 & 1.0.0.1 with VPN? Or should I use the VPN providers DNS servers, which are slower.
Sure, you can use the Cloudflare DNS servers. But make sure that you have firewall rules that only allow traffic through the VPN tunnel. Or use a VPN client that has a built-in firewall. Without such firewall rules, queries to 1.0.0.1/1.1.1.1 could go direct, rather than through the VPN. Given claimed security of Cloudflare DNS, and promised privacy, one might not worry about that issue. But I would
My test results said that I communicated with 13 DNS servers. 1 of which seems to be associated with my VPN provider. The remaining 12 are Cloudflare DNS servers. Should I be concerned that all of the Cloudflare DNS servers were local? By local I don't mean the city my VPN says I'm in, i mean the city I'm truly in!
I don't have any firewall rules set in regards to my VPN, because I don't always connect via VPN. There are times that I need to connect without a VPN and If i had the firewall rules you mentioned wouldn't I not be able to?
Yes, you'd need to change rules when the VPN connected. That's an advantage of VPN clients with built-in firewalls.
Brosephine, Just a personal thought to inject here. I would trust your VPN DNS over cloudfare's every time. You are already paying for and thereby trusting the VPN provider with your connection. Why add another possible weak link to your connection chain? You had mentioned there was a speed difference, which might be a factor if its severe. I don't see that with my VPN providers. BTW - its much easier to write a firewall rule to "contain" one DNS inside a tun0 than to factor a ruleset for multiple ranges of DNS. I didn't see a mention of which VPN provider you are using, but if its one of the top 5 mentioned throughout this forum you should be good to go on their DNS. Speaking of the top 5, I bet they would have a custom client that would handle this all for you if you don't have the inclination to learn it yourself. My .02: If I ran a dnsleaktest (regardless of the tool used to do that) and saw 13 different DNS I would not sleep well. Of course others will differ but I don't want that for myself.
@Palancar I appreciate your helpful response. I absolutely agree with your point that adding cloudflare is simply adding another possible weak link and that I'm probably better off sticking with my VPN providers DNS servers. As I write this I am not sure what the top 5 VPN providers mentioned on this forum are but I will look into it after I write this. My VPN is recommended on privacytools.io and is quite feature rich so I am sure that I am in good hands. My inclination is definitely to learn this rather than having it fixed and configured for me. However, my firewall is part of my AV protection and I have looked at the firewall rules in the past and remember it being quite complicated and above my level of understanding.