New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature request: add DNS over TLS/HTTPS #91
Comments
This is currently not scheduled for implementation. I'll leave it open but I can't provide any ETA. |
For anyone else wanting this increased privacy/security: it seems that the Premium version of AdGuard (which requires a subscription or an AdGuard mobile license) can cooperate with Passepartout to achieve this. However, with one major disadvantage: since AdGuard implements this using a fake VPN, you will always see the VPN logo, even if the real (OpenVPN) VPN from Passepartout is not active (trusted network / bug / ...) |
It’s not possible because Passepartout doesn’t install the configuration under “personal vpn” it installs it under “VPN Configuration” which AdGuard is also installed. It’s not possible to have both running from the same group.. well for me at least, unless you’ve been able to somehow change that. Please share if you have. |
It would be great if you could implement dns over https/tls. Please look into implementing this enhancement. |
I know, but my backlog is “intense“ to say the least. 🙃 |
Yes, same here (now?). @keeshux Did you change the type of VPN over time? (Or did I make a mistake back in July?) |
Never. Under "Personal VPN" you find non-custom VPN protocols like IPsec and IKEv2. AdGuard and Passepartout have custom VPN code, that's why they both appear in "VPN Configurations" instead. |
I have got the paid version of AdGuard too, but I’m unable to run both AdGuard and Passepartout together, as AdGurad needs a fake vpn connection too, to secure the dns traffic. Where you able to run both AdGuard and Passepartout together? |
No. Only with an IKEv2 VPN like PIA or ProtonVPN (so also not when you chose OpenVPN in PIA). |
Frankly I wonder why one would need secure DNS in a VPN environment, where everything is already encrypted. Would you share your use cases? |
If I’ll run both together in AdGuard app I’ll be getting an advantage to customized my DNS ad blocking instructions, and to see all my internet traffic If some apps are using internet without my permissions. |
"Block ads, trackers and malicious websites on all my devices." (source: NextDNS) |
Lack of trust and vpn providers have been hacked, take NordVPN/TorGuard/VikingVPN where a sever was hacked and they could see all data flowing through that server, this went on for months and wasn’t revealed until it was leaked to the public.. VPNs aren’t regulated and behind the fancy marketing and promises of complete anonymity and privacy someone is still probably harvesting users data... EncryptedDNS while connected to a VPN is just another safeguard. |
What's the point of using a VPN if you don't trust it? Even worse, you trust it for ALL your traffic, except DNS. If you're thinking "most non-DNS traffic nowadays is already encrypted, I just want DNS too", well... again: what's the added value of a VPN? Don't get me wrong, but it makes absolutely no sense to me. |
It has its benefits... geo location unblocking, preventing ISP/government snoopIng, cafe/internet hotspot defense... that being said I’d rather use a separate encrypteddns sever than the dns server provided by the VPN. |
Every purpose is defeated if you don't trust the service. |
Every purpose is not defeated and I did give you a few points if you read what I posted. “ It has its benefits... geo location unblocking, preventing ISP/government snoopIng, cafe/internet hotspot defence” You obviously just don’t want to implement it as you are really dismissive... you’re app doesn’t do much more for me than a normal OpenVPN setup when using the VPN providers own app, hence why I requested a refund. If companies like cloudflare/adguard/nextdns are offering the dual option where iOS users can still use their Ikev2/IPSec VPN connection with their encrypteddns service that should make you wonder why don’t you think? |
If you don't get my single, simple statement, then you don't know what you're doing and this conversation is essentially pointless. I'll gracefully give up.
If so, I would have already closed the issue. I'm evaluating long-open issues for prioritization, and nothing's better than prompting user's feedback. Well, not every user's apparently.
"Your" app. Fair enough, but being unfit for your use-case doesn't mean that the app doesn't work well for other thousands of users. Back off.
Look, I worked for a major provider for 3 years and I know much better than you what most providers go for: your money. Especially money from people like you who are seduced by gimmicks and buzzwords. I'll take WireGuard as the biggest example. The protocol is great by itself, but most providers are only adding it as a selling point. They're not really interested in (nor they know) what it does, it's just that customers want it so they give it to them to shut their mouths. What most advertise as "features" are gimmicks most of the time so no, there's absolutely nothing to think about. That's fine, but my goal is providing meaningful features stripping all the bs. Again, I started the conversation to try to understand how people use this feature, and e.g. the comment by @zaheerhakim makes way more sense than all your noise. That's why I'm keeping the issue open. At the end of the day, I have no interest in buying uninformed users. If you'd rather pay a buzzword than taking the time to learn how a VPN works, go for it. Just don't waste my (and others) time further. |
Thanks for correcting my typos btw... 3 years working for a major provider and I’m sure you are a real professional. I’d wish you good luck but obviously you don’t need need since you got “thousands” of users in your little pockets who have bought into your gimmick. You also plan on implementing wireguard! If you want to make personal side attacks, I’m not the one. |
I think the best course of action would be asking AdGuard if there might be a technical way to integrate the two apps together. Any attempt at replicating DNS features inside Passepartout would be ridiculously worse than a well-established service like AdGuard, who definitely knows better than me about the subject. I'll see what I can do. |
I did contacted AdGuard, from there app it’s not possible. |
I know that it's not possible from a user's perspective, I wonder if there might be a path under a developer's perspective. |
At the moment vpn profile of your gets added under “VPN Configuration” if it’s gets added under “Personal VPN” then both VPN connections can work together AdGuard and Passepartout. |
Yeah I'm aware of that, I'm thinking of "deeper" solutions which I might discuss with AdGuard (in case they're interested). |
@keeshux work on these update as well:
|
iOS 14 will natively support DoH & DoT, but I guess if one uses a VPN then still the DNS servers dictated by the VPN will be used? (NextDNS allows you to set up different configurations that are selected by specific parts of the DoH/DoT address) |
Bingo! Look at this: https://developer.apple.com/documentation/networkextension/nednssettings/3552337-dnsprotocol |
It's worth reminding that apps built against a beta SDK cannot be submitted to the App Store. This means that the feature will not go live until iOS 14 is released (October). @pro-sumer thanks for your helpful insight. Please send me an email to beta@passepartoutvpn.app with your name. |
This "Enable encrypted DNS" WWDC20 video also gives some insight: |
Sorry, forgot about that, but I'm already participating in your TestFlight program. (Or did you have different reason for that request?) |
Thanks to iOS 14 / macOS 11, this feature is finally part of upcoming Passepartout versions. |
It's nice that one can configure preferred DNS servers in Passepartout. Unfortunately this is only supporting the classic DNS over port 53, it seems. It would be nice if Passepartout also implemented the newer DNS over TLS (port 853) or DNS over HTTPS (port 443).
Would it be possible to add this?
The text was updated successfully, but these errors were encountered: