mullvadvpn-app
mullvadvpn-app copied to clipboard
mullvad
feature: keeping system DNS unchanged or use custom DNS
hi, I have a local DNS resolver for caching reasons and I want to keep using it when I enable mullvad, but the daemon changes resolv.conf without asking and even monitors it and reverts it every time it is changed. I couldn't find a way to disable this
could an option be added to disable this behaviour?
We have plans on adding a feature to make the app set a custom DNS resolver. But I'm unsure we want to disable its DNS setting/monitoring completely. The app is fully responsible for the system security and our job is to try to protect the privacy of the people using it. Leaking DNS is terrible for privacy, so it's not something we want to make it too easy for users to do.
Hi, I'm using a Raspberry Pi with Pi-Hole as a DNS server to filter out ad-related lookups. I have my router configured to set the IP of the RPi as DNS on my network over DHCP, but when starting the Mullvad client, the DNS is changed to e.g. 10.11.0.1.
An option to configure the DNS manually would be very much appreciated!
Side note/question: Is using the Mullvad DNS at 193.138.219.228 as safe as using the one available on each VPN server (e.g. 10.11.0.1)?
@akej74 Yes, the public DNS on that IP is still supported. As explained in our DNS leak guide (under Other users) all requests to it will actually be hijacked and redirected to the DNS resolver running on each VPN server when you are connected to Mullvad. So in practice, using 193.138.219.228 as your DNS through the tunnel effectively becomes equivalent to using the DNS available at the VPN server you are connected to.
https://mullvad.net/en/guides/dns-leaks/
Hi, just a quick question on the topic of adding a custom DNS setting in the Mullvad app, is this something that is on the roadmap? If not, I need to rely on the OpenVPN app, but I would prefer the Mullvad app.
It is on the roadmap. But I don't have a time frame for it currently. It's not part of what we are working on at the moment.
I've just spent 5 minutes or so trying to figure out why I couldn't reach any websites. Of course, I eventually checked the resolv.conf and realised that the Mullvad client must have changed it.
I'm alright with Mullvad changing it, but there needs to be some kind of notice to users that if the VPN is unexpectedly killed, the resolv.conf won't be changed back. In fact, why can't the original DNS configuration be stored somewhere, and have mullvad-daemon change it back when the VPN is not active?
mullvad-daemon does restore the DNS when it's instructed to disconnect. What is it that you mean is unexpectedly killed? mullvad-daemon or OpenVPN? If OpenVPN dies unexpectedly then mullvad-daemon will directly try to start it again. Killing OpenVPN will not make the Mullvad VPN become disconnected, it will just make it retry connecting. For mullvad-daemon to stop trying and restore your system settings to use the internet unencrypted, you need to instruct Mullvad VPN to disconnect.
If you mean that mullvad-daemon is unexpectedly killed and that does not restore your settings then I say it depends a lot on the circumstances and your platform etc.
EDIT: @c-edw If you believe what you are experiencing to be a bug, then please file an issue on that. This issue is about something else, so let's keep them separate.
My laptop battery died while I was connected. I guess it could be considered a bug - it depends on whether the client is supposed to restore the DNS settings in this case.
@c-edw It should indeed have restored the DNS automatically on reboot. We have four different ways of managing DNS depending on what services are available on your distro etc. If you can reproduce the problem it would be awesome if you could send a problem report to our support through the app.
+1 for me. Because it overrides my local DNS server I loose all connectivity to the other servers in my local domain which results in me being unable to logon (AD Domain), unable to access file shares, etc. I understand why you would want to to do this but in my use case it makes the service useless.
I would very much like the ability to set the DNS on the VPN adapter to Mullvad but please make it optional to change all DNS server addresses on all network cards.
You can work around this by installing OpenVPN and creating connection files through Mullvad.
+1 I'm a Pi-Hole user and I'd love to be able to use it together with the (awesome) Mullvad app. Until then, I guess I'll work around this by using OpenVPN.
This is how I set up my OpenVPN client configuration to use a custom, local DNS server (Pi-hole):
#block-outside-dns
pull-filter ignore "dhcp-option DNS"
dhcp-option DNS <local dns ip>
This is how I set up my OpenVPN client configuration to use a custom, local DNS server (Pi-hole):
#block-outside-dns pull-filter ignore "dhcp-option DNS" dhcp-option DNS <local dns ip>
Anyone knows if the same works for OpenVPN Connect on iOS? Where local dns ip means local network and not localhost. (I want to use my PiHole DNS server when at home.)
Download the .ovpn files from Mullvad’s config page, open in editor, add these two lines, securely send the files to iOS device … tried it, cannot really confirm if it works … but seems it doesn’t.
+2 if Mullvad could provide ads blocking DNS on their side insead of relying on Pi-Hole
Would be great if it supported DNS-over-TLS, but I guess it must be implemented on Wireguard first.
I've just figure out how to use DNS-over-TLS on a Wireguard connection:
(It may not apply to Mullvad apps, only official Wireguard software for GNU/Linux and Android)
On GNU/Linux system you must install and setup unbound or stubby software with the DNS-over-TLS service of your choice (e.g NextDNS.io), then set your /etc/resolv.conf to 127.0.0.1 and remove the DNS option from your Wireguard configuration (or just set it to DNS = 127.0.0.1)
On Android 9 or later, use the Wireguard official app to connect to Mullvad. Set the the DNS option of the desired VPN configuration to blank. It will make it use Android system's DNS. Go to Settings > Network > Advanced > Private DNS and set it to the DNS-over-TLS service of your choice.
I would suggest Mullvad developers to provide an option to "Use system DNS" on their apps. Thanks
Having the client prepend a nameserver 127.0.0.1 to /etc/resolv.conf would already help to prevent killing many automated development environments that run a local DNS resolver and would also provide a "hook" for more advanced user to use for their custom DNS needs.
Correct me if I'm worong but adding localhost as a DNS sever usually should not leak any DNS to the outside world.
Option to personalize DNS resolver is definitely something missing in Mullvad VPN, particularly if you you want to use DNS including ADBlocking. I actually use Mullvad for the Wireguard compatibility and the hope of the DNS resolver option, but if this option is not implemented soon, sure that i will swap to another VPN provider, sorry to say that. Is it something so hard to implement ? Thanks in advance for understanding, and thanks for the great job you've already done. In the hope you'll solve that soon ...
+1 for this option in order to allow pi-hole or other custom ad blocker. thanks for the hard work mullvad team
If you're using wireguard, shouldn't it be as easy as setting DNS in the client config to a custom server? They are normally in /etc/wireguard/*.conf, at least if you setup wireguard yourself. Not sure about where the mullvad app places the configs
This would be a great feature. I am keen to use NextDNS alongside the Mullvad VPN app. I could use the Wireguard app to set a different DNS resolver, but the functionality inside the Mullvad app would be my preference.
+1 here, cant use Mulvad while using Pihole
Are you using wireguard with mullvad @p1r473 ? I think there may be a way to get to use both
