DNS leaks on VPN: best DNS servers, using dnsmasq and openvpn?

DTS

Regular Contributor
I'm using ExpressVPN on Linux. The Linux box is my router. I have a few related questions:

1. Is it more private to use ExpressVPN's DNS servers or to use well-known privacy-friendly servers?

2. Is this page still reliable? Alternative DNS - WikiLeaks

3. Cloudflare (1.1.1.1) gets good reviews in some places and negative reviews in others. It's not on the above list. But it is consistently the fastest for me other than Google (8.8.8.8) which I choose not to use. Any thoughts on Cloudflare in terms of privacy?

4. Now the harder question: how can I configure dnsmasq on Linux so that it will use ExpressVPN's DNS servers when I'm connected to ExpressVPN? ExpressVPN will not provide information on their DNS server addresses or names, so my config will need to get these servers automatically once I connect to the VPN. I'm not sure how to do any of that.

Currently, I simply set the nameserver directly

Code:
/etc/dnsmasq.conf
resolv-file=<myfile.name>

and <myfile.name> contains lines like this:

nameserver 1.1.1.1

I use netctl and I have a static WAN configuration. When the netctl profile becomes active, it calls a simple script that starts the VPN tunnel.
 

Tech Junky

Very Senior Member
Use pihole / it's easier.

I run a linux box as my router and use nordvpn instead because it has wireguard which hits line rate speeds and doesn't deal with OVPN madness.

I don't even have to mess with other DHCP / DNS options as it just picks up the DNS from Nord and Pihole as the DNS server to the clients.

If you insist though you can specify the DNS in the /etc/network/interfaces or /etc/dhcp/dhclient.conf

Those 2 locations don't get borked by resolv upon reboot or IF changes.

Code:
server:/opt$ nslookup snbforums.com
Server:         103.86.96.100
Address:        103.86.96.100#53

Non-authoritative answer:
Name:   snbforums.com
Address: 172.67.69.81
Name:   snbforums.com
Address: 104.26.8.66
Name:   snbforums.com
Address: 104.26.9.66
Name:   snbforums.com
Address: 2606:4700:20::ac43:4551
Name:   snbforums.com
Address: 2606:4700:20::681a:842
Name:   snbforums.com
Address: 2606:4700:20::681a:942

I would normally expect it to be using the DNS from pihole which is google / quad9. System DNS should pick up the VPN DNS on its own.

cat /etc/resolv.conf

 

DTS

Regular Contributor
Use pihole / it's easier.

You replied to my question #4. I'm happy with openvpn for now. I also want to continue using dnsmasq. Not looking to change my entire setup, especially when it is working well.

If you insist though you can specify the DNS in the /etc/network/interfaces or /etc/dhcp/dhclient.conf

As mentioned, I use netctl. My DHCP is handled by dhcpcd That means I don't have either of those locations.



I would normally expect it to be using the DNS from pihole which is google / quad9. System DNS should pick up the VPN DNS on its own.

cat /etc/resolv.conf


I know how to change nameservers to specific values. I can do that in dnsmasq config. The method given at the link above would not work given that I use dnsmasq (I have a custom `resolv-file=` value defined in dnsmasq's config.)

Unfortunately, ExpressVPN doesn't provide their nameserver names or addresses, and I do not know how to populate them after connecting to the VPN while using my current stack.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top