VPN Encrypted DNS

I currently have set-up a VPN connection which I commonly use at home. My broadband connection at home is provided by BT and I am using the BT home hub provided by BT.

Unfortunately I am unable to change the DNS servers on the BT home hub as BT seem to be rather keen on forcing their customers to use their DNS servers. So much so that even If I manually configure the DNS servers on the wireless interface on my laptop it appears my DNS requests are still diverted to BT's servers.

Due to BT's heavy handed approach I have followed the manual instructions found on the leak prevention page at dnsleaktest.com to prevent this from happening when using my VPN connection at home. I have manualy configured the DNS server on my wireless interface to be 0.0.0.0 using command prompt. I have then manually configured the DNS server I wish to use on the TAP adaptor used by the VPN connection.

With this configuration when running the DNS leak test BT's DNS servers are no-longer used. Am I correct in thinking that because I have configured the DNS servers on the TAP adaptor, rather than the wireless interface, that all my DNS requests are therefore encrypted through the VPN and to the DNS server, appear to be coming from the VPN providers IP address instead of my own?

If the above is true then why would anyone decide to instead configure their DNS server on the wireless interface and then use software such as DNSCrypt instead of the method I use?

 

On Windows, you need to configure the main adapter (eth0 or wlan0 in Linux speak) to use specific addresses. This is to stop leaks in case they happen. Most people use the Swiss or German Privacy Foundation, Chaos Computer Cub, or OpenNIC, etc... supplied servers. Setting them in the router is a secondary backstop. You *can* set them in the TAP adapter as well, if you want, but you'll just be choosing not to use your VPN providers DNS. I *think* that would mean that your DNS requests would leave the tunnel at the VPN exit IP, and get resolved. I'd rather have DNS stay in the tunnel and let the VPN provider resolve - so I leave the TAP DNS as Automatic. Never used DNSCrypt or any of that other DNS stuff. I think ^ that is all correct, but I may be wrong.

Also, Firewall rules can be used to tighten down DNS queries as well.

 

@PaulyDefran:

I use DNScrypt over Swiss or German Privacy Foundation, Chaos Computer Cub because the DNS is encrypted. Aside from simply liking encryption I was concerned when I read that Comcast is using a transparent proxy to route customer traffic back through their DNS servers when a customer voluntarily chooses another DNS provider. I believe if I remember the details of the article they are doing this over port 53. I suspect that it might be better to select an encrypted Tap provider based on what I have just said. I also fully recognize that I am perhaps descending into a trust issue.