feature: keeping system DNS unchanged or use custom DNS

[codl]

hi, I have a local DNS resolver for caching reasons and I want to keep using it when I enable mullvad, but the daemon changes resolv.conf without asking and even monitors it and reverts it every time it is changed. I couldn't find a way to disable this

could an option be added to disable this behaviour?

[faern]

We have plans on adding a feature to make the app set a custom DNS resolver. But I'm unsure we want to disable its DNS setting/monitoring completely. The app is fully responsible for the system security and our job is to try to protect the privacy of the people using it. Leaking DNS is terrible for privacy, so it's not something we want to make it too easy for users to do.

[codl]

being able to set a custom DNS would fix my problem either way

[akej74]

Hi, I'm using a Raspberry Pi with Pi-Hole as a DNS server to filter out ad-related lookups. I have my router configured to set the IP of the RPi as DNS on my network over DHCP, but when starting the Mullvad client, the DNS is changed to e.g. 10.11.0.1.

An option to configure the DNS manually would be very much appreciated!

Side note/question: Is using the Mullvad DNS at 193.138.219.228 as safe as using the one available on each VPN server (e.g. 10.11.0.1)?

[faern]

@akej74 Yes, the public DNS on that IP is still supported. As explained in our DNS leak guide (under Other users) all requests to it will actually be hijacked and redirected to the DNS resolver running on each VPN server when you are connected to Mullvad. So in practice, using 193.138.219.228 as your DNS through the tunnel effectively becomes equivalent to using the DNS available at the VPN server you are connected to. https://mullvad.net/en/guides/dns-leaks/

[akej74]

Hi, just a quick question on the topic of adding a custom DNS setting in the Mullvad app, is this something that is on the roadmap? If not, I need to rely on the OpenVPN app, but I would prefer the Mullvad app.

[faern]

It is on the roadmap. But I don't have a time frame for it currently. It's not part of what we are working on at the moment.

[cedws]

I've just spent 5 minutes or so trying to figure out why I couldn't reach any websites. Of course, I eventually checked the resolv.conf and realised that the Mullvad client must have changed it.

I'm alright with Mullvad changing it, but there needs to be some kind of notice to users that if the VPN is unexpectedly killed, the resolv.conf won't be changed back. In fact, why can't the original DNS configuration be stored somewhere, and have mullvad-daemon change it back when the VPN is not active?

[faern]

mullvad-daemon does restore the DNS when it's instructed to disconnect. What is it that you mean is unexpectedly killed? mullvad-daemon or OpenVPN? If OpenVPN dies unexpectedly then mullvad-daemon will directly try to start it again. Killing OpenVPN will not make the Mullvad VPN become disconnected, it will just make it retry connecting. For mullvad-daemon to stop trying and restore your system settings to use the internet unencrypted, you need to instruct Mullvad VPN to disconnect.

If you mean that mullvad-daemon is unexpectedly killed and that does not restore your settings then I say it depends a lot on the circumstances and your platform etc.

EDIT: @c-edw If you believe what you are experiencing to be a bug, then please file an issue on that. This issue is about something else, so let's keep them separate.

[cedws]

My laptop battery died while I was connected. I guess it could be considered a bug - it depends on whether the client is supposed to restore the DNS settings in this case.

[faern]

@c-edw It should indeed have restored the DNS automatically on reboot. We have four different ways of managing DNS depending on what services are available on your distro etc. If you can reproduce the problem it would be awesome if you could send a problem report to our support through the app.

[Rouzax]

+1 for me. Because it overrides my local DNS server I loose all connectivity to the other servers in my local domain which results in me being unable to logon (AD Domain), unable to access file shares, etc. I understand why you would want to to do this but in my use case it makes the service useless.

I would very much like the ability to set the DNS on the VPN adapter to Mullvad but please make it optional to change all DNS server addresses on all network cards.

[aalhitennf]

+1

Really needed feature for pi-hole users.

[Rouzax]

You can work around this by installing OpenVPN and creating connection files through Mullvad.

[sfreyux]

+1 I'm a Pi-Hole user and I'd love to be able to use it together with the (awesome) Mullvad app. Until then, I guess I'll work around this by using OpenVPN.

[jelbo]

This is how I set up my OpenVPN client configuration to use a custom, local DNS server (Pi-hole):

#block-outside-dns
pull-filter ignore "dhcp-option DNS"
dhcp-option DNS <local dns ip>

[fooness]

This is how I set up my OpenVPN client configuration to use a custom, local DNS server (Pi-hole):

#block-outside-dns
pull-filter ignore "dhcp-option DNS"
dhcp-option DNS <local dns ip>

Anyone knows if the same works for OpenVPN Connect on iOS? Where local dns ip means local network and not localhost. (I want to use my PiHole DNS server when at home.)

Download the .ovpn files from Mullvad’s config page, open in editor, add these two lines, securely send the files to iOS device … tried it, cannot really confirm if it works … but seems it doesn’t.

[DjCrays]

+1, would love if this is also possible in Wireguard and not only OpenVPN

[juliangaal]

+1, this feature would be killer for PiHole users!

[sheevy]

+2 if Mullvad could provide ads blocking DNS on their side insead of relying on Pi-Hole

[semente]

Would be great if it supported DNS-over-TLS, but I guess it must be implemented on Wireguard first.

[semente]

I've just figure out how to use DNS-over-TLS on a Wireguard connection:

(It may not apply to Mullvad apps, only official Wireguard software for GNU/Linux and Android)

On GNU/Linux system you must install and setup unbound or stubby software with the DNS-over-TLS service of your choice (e.g NextDNS.io), then set your /etc/resolv.conf to 127.0.0.1 and remove the DNS option from your Wireguard configuration (or just set it to DNS = 127.0.0.1)

On Android 9 or later, use the Wireguard official app to connect to Mullvad. Set the the DNS option of the desired VPN configuration to blank. It will make it use Android system's DNS. Go to Settings > Network > Advanced > Private DNS and set it to the DNS-over-TLS service of your choice.

I would suggest Mullvad developers to provide an option to "Use system DNS" on their apps. Thanks

[tobias-kuendig]

Having the client prepend a nameserver 127.0.0.1 to /etc/resolv.conf would already help to prevent killing many automated development environments that run a local DNS resolver and would also provide a "hook" for more advanced user to use for their custom DNS needs.

Correct me if I'm worong but adding localhost as a DNS sever usually should not leak any DNS to the outside world.

[FilipoMoake]

Option to personalize DNS resolver is definitely something missing in Mullvad VPN, particularly if you you want to use DNS including ADBlocking. I actually use Mullvad for the Wireguard compatibility and the hope of the DNS resolver option, but if this option is not implemented soon, sure that i will swap to another VPN provider, sorry to say that. Is it something so hard to implement ? Thanks in advance for understanding, and thanks for the great job you've already done. In the hope you'll solve that soon ...

[techwoes]

+1 for this option in order to allow pi-hole or other custom ad blocker. thanks for the hard work mullvad team

[juliangaal]

If you're using wireguard, shouldn't it be as easy as setting DNS in the client config to a custom server? They are normally in /etc/wireguard/*.conf, at least if you setup wireguard yourself. Not sure about where the mullvad app places the configs

[techwoes]

+1 on this for sure

[p1r473]

+1 here, cant use Mulvad while using Pihole

[MitchellCash]

This would be a great feature. I am keen to use NextDNS alongside the Mullvad VPN app. I could use the Wireguard app to set a different DNS resolver, but the functionality inside the Mullvad app would be my preference.

[juliangaal]

+1 here, cant use Mulvad while using Pihole

Are you using wireguard with mullvad @p1r473 ? I think there may be a way to get to use both

[scafroglia93]

+1

[ghost]

Would be great to see a Custom DNS setting in the app overall, Android, Desktop, etc. After such a long time it would please a lot of people to be able to use what ever custom DNS they want, self hosted or not. With features which the Mullvad DNS does not frankly provide, e.g. ad blocking, or domain white listing or black listening which other solutions like Pi-Hole can offer.

[p1r473]

+1 here, cant use Mulvad while using Pihole

Are you using wireguard with mullvad @p1r473 ? I think there may be a way to get to use both

I cant connect to Mullvad while Pihole enabled. I got an error about DNS System Preference couldn't be changed.

[p1r473]

[benoitjpnet]

Interesting behavior:

On my One Plus 6 smartphone, I can use Mullvad app and private DNS of Android. On my Samsung Galaxy Tab S5e I cannot use private DNS of Android if I use Mullvad app.

Why these differences... Intriguing.

[tazjin]

But I'm unsure we want to disable its DNS setting/monitoring completely

This should be an option. For example, DNS settings are not mutable on my machine and I need to either patch the mullvad client or present it with a "fake" resolved to make it work. In practice that means I just don't use the client.

[ph00lt0]

@fooness using pihole as DNS is of course a good idea, but think about this. In an ideal senario when you are outside Mullvad will fall back to it's own DNS, however what happens if the network you are on uses the same local IP for it's DNS services as your pihole at home, then without you noticing you might leak your DNS data.

[husim0]

Would be great to have this option to set a custom DNS server. Thank you !

[jowabels]

+1, Pi-hole and Mullvad (Wireguard) would be lovely. If Mullvad DNS servers integrate with Pi-hole (I don't know if that is possible), that would be better.

[ph00lt0]

Actually what @jowabels you say would be great. I suggested to add a firewall option. They think that it's out of scope, but honestly, it should not be to difficult as I see it. Adding Pi Hole doing so would resolve the issue. I think that people would be willing to pay for that service, as least I would. Private Internet Access also has some features in blocking some ads (not that great but it's a start).

[RandomUserName22]

Custom DNS has many uses in all environments. We have been waiting for it for a while now. SHould be easy enough to implement - it can be done with manual port settings (you know the ones), so why not give those ports as a choice within the apps??????

[faern]

It's not just about using different ports on the VPN servers. We have very strict firewall rules and other blocks in place locally on the device running the app. These limit exactly which DNS server is and can be used. In order to implement custom DNS we need to add an input field in the app where the user can specify which DNS server they want and then all security rules must adapt to conditionally use this custom IP instead of the one for our server.

So far not very hard to implement. But the tricky part come as soon as we need to support custom DNS on either the LAN or on the routable internet, that's more tricky changes that I won't go into the details of.

All of this is simple in "vanilla" VPN apps that just create a tunnel, because they don't take measures to lock down unwanted stuff. We do, and as such all of those components must be able to adapt to changes in DNS, we can't just let any DNS out.

[RandomUserName22]

I might have oversimplified a little, but conceptually it is quite doable: you have competitors' apps which already do the same (expressvpn, nordvpn), and it can also be done with third-party apps (Viscosity can be set up to use custom dns, split tunnels, and with a little scripting can lock down the system so that if the tunnel drops all internet activity is blocked).

This is a feature that many people desire. I know I would be willing to pay extra for it.

[jowabels]

Hi @faern quick question, does the DNS servers of Mullvad implement some sort of ad blocking? If no, will there be efforts to go into that direction?

[faern]

Hi @faern quick question, does the DNS servers of Mullvad implement some sort of ad blocking? If no, will there be efforts to go into that direction?

They do not block anything. Yes there are internal discussions about supporting this sometime in the future. But that's an infrastructure question and not related to custom DNS in the app, even if the use cases can overlap for some scenarios.

[jamesmacwhite]

I've been recently evaluating Mullvad and found it to be excellent, except this missing feature in the app. It would be nice if the app allowed you to use local DNS, rather than forcing Mullvad DNS servers without any option to disable this. I understand your primary goal is privacy, but this is something more technical users would be aware of. Chances are their local DNS/custom DNS won't be a prying ISP and is probably something like PiHole with DNSCrypt or DNS over TLS, so still strong, even if it isn't going through the VPN tunnel.

I guess I could run OpenVPN or Wireguard directly with a Mullvad config to have local DNS still, but the app does offer a few good features which more easily configurable as a client, than having to go the OpenVPN config route. Also from a Linux perspective NetworkManager and it's OpenVPN plugin/functionality is really hit and miss, so I'd rather not have to do this.

Just my thoughts.

On an unrelated note, well done for being a VPN provider who actually offers IPv6, rather than the IPv6 leak protection crap others do. Thank you for being in the 21st century.

[mike386]

The ability to use a filtering DNS server is not just a nice addition to a privacy-oriented service, it is a must.

While preventing DNS leaks, the service also does not let the user stick with third-party services like AdGuard DNS - it just intercepts all DNS queries and redirects them to its own, non-filtering DNS server (also true if the user connects with WireGuard configuration file). To work this around the user may configure a local resolver that forwards all DNS queries to a filtering DNS server via DoT/DoH (and most probably configure that server to support such protocols). On every device.

Having to deal with ad-blocking browser extensions has its drawbacks. First, it is another piece of software with its vulnerabilities, often not receiving as much attention as browsers themselves (search for "Mega.nz Chrome Extension Hacked"). Second, it does not protect privacy device-wide (which is a big deal for mobile devices).

I hope that Mullvad will eventually have its filtering DNS server (10.9.0.2 would be a great option!) that would implement similar functionality to Pi-Hole.

[harish2309]

if you still want to use your own dns, like a Pihole IP, then I found a hacky solution to have mullvad stop editing resolv.conf.

chattr +i /etc/resolv.conf

So my DNS remains in place and Mullvad starts, however yes DNS will be leaking via this methods, which may or may not outweigh using your own DNS while connected to Mullvad.

[jamesmacwhite]

Yes. I guess you could essentially lock the file from being edited as a workaround, but ideally the app itself should allow you to maintain local DNS resolution. Someone else in this thread mentioned they want it for local DNS resolution i.e. Active Directory and therefore need local DNS, I am in a similar boat.

[aaronraimist]

@harish2309 at least for me on macOS (using sudo chflags schg /var/run/resolv.conf) that doesn't work. Mullvad just blocks DNS requests so nothing loads.

[jamesmacwhite]

@aaronraimist @harish2309 Same thing on Linux as well. The app has been designed for specifically force DNS requests, blocking the modification of resolv.conf from being modified just breaks DNS resolution entirely for me. It is not a solution.

The only viable way is running Wireguard or OpenVPN directly without the app currently.