By default, when you connect to a commercial VPN, the VPN provider also handles your DNS. This means the VPN provider sees both your traffic and your DNS lookups. For users who want to split this trust (use one provider for the tunnel, another for DNS), the configuration is possible but takes some setup.
This guide covers when you should bring your own DNS to your VPN, how to configure it, and the trade-offs.
When this matters
For most users, having the VPN provider also do DNS is fine. The VPN provider sees your traffic anyway; adding DNS visibility does not meaningfully increase what they know.
When this becomes interesting:
You want to use NextDNS or ControlD’s filtering and per-device profiles, while routing traffic through Mullvad or another VPN.
You distrust the VPN provider for DNS specifically (perhaps the VPN handles network competently but you want a different company logging your DNS lookups).
You want to combine network-level ad blocking from your local Pi-hole with VPN-tunneled traffic.
You have specific corporate or compliance requirements that mandate certain DNS providers.
How VPN providers handle DNS by default
Most commercial VPNs route DNS queries through the VPN tunnel to the provider’s own DNS servers. The DNS lookups are protected from your ISP but visible to the VPN provider.
The VPN client typically forces all DNS queries through this tunnel, even if you have configured a different DNS at the OS level. This is “DNS leak protection,” which prevents your DNS lookups from leaking to the network you are on.
Bringing your own DNS means working with this DNS leak protection rather than against it.
How to bring your own DNS
Three main approaches:
Approach 1, configure the VPN client to use a different upstream
Most VPN clients let you specify a custom DNS server in their settings. This is the simplest approach.
Mullvad: Settings, VPN settings, custom DNS. Enter the IPs of your preferred DNS provider (Cloudflare 1.1.1.1, Quad9 9.9.9.9, NextDNS IPs, etc.).
NordVPN: similar setting, allows custom DNS configuration.
ProtonVPN: settings allow custom DNS configuration.
ExpressVPN: more limited; their client tends to want to manage DNS itself.
This approach uses your custom DNS server but routes the queries through the VPN tunnel. Your custom DNS provider sees the queries; the VPN provider does not see the actual hostnames you are querying (although they see the encrypted traffic to your DNS provider’s IP).
Approach 2, configure DoH at the browser level
Browsers can configure DNS over HTTPS independently of the OS or VPN settings. Firefox’s DoH setting, Chrome’s DoH setting, Brave’s DoH setting all work this way.
When the browser uses DoH directly, it sends DNS queries via HTTPS to your specified provider, regardless of the OS DNS configuration. The VPN tunnel still encrypts the connection at the network layer; the DNS provider is the one you specified.
This works only for browser DNS lookups. Other apps (email client, system updates, native apps) still use the OS DNS configuration.
Approach 3, configure encrypted DNS at the OS level
Modern operating systems support DoH or DoT natively.
iOS and macOS: install a configuration profile from your DNS provider (NextDNS, Cloudflare, etc.).
Windows 11: Settings, Network, DNS server assignment, configure DoH.
Android: Settings, Network and Internet, Private DNS, enter the provider hostname.
Linux: configure systemd-resolved or similar to use DoH or DoT.
The OS-level encrypted DNS handles all DNS queries from all apps on the device. When combined with a VPN, the encrypted DNS query goes through the VPN tunnel to your chosen provider, which the VPN provider cannot read (because the DNS query is itself encrypted).
This is the cleanest approach for users who want to consistently use their preferred DNS regardless of which apps are doing the querying.
What can go wrong
DNS leaks. Even with all the configuration, edge cases can leak DNS. Test with a tool like dnsleaktest.com after setting up your configuration. If you see queries going to the wrong DNS server, fix.
IPv6 leaks. Your VPN might handle IPv4 DNS correctly but leak IPv6 DNS. Disable IPv6 at the OS level if your VPN does not handle it cleanly.
Browser DoH bypassing OS settings. Some browsers’ DoH implementations bypass the OS DNS configuration entirely, including the VPN’s leak protection. Configure browser DoH to use the same provider as your OS, or disable browser DoH if you want OS-level DNS to apply.
Performance issues. Routing DNS through your VPN to a third-party DNS provider adds latency. For most use cases the latency is small (< 50 ms additional); for some workloads it matters.
A specific configuration example
For a privacy-focused user who wants Mullvad VPN tunnel plus NextDNS for filtering:
-
Sign up for NextDNS, get your configuration ID.
-
Configure NextDNS at the OS level via configuration profile (iOS/macOS) or Private DNS setting (Android) or DoH setting (Windows 11). Use the NextDNS-provided URL:
https://dns.nextdns.io/your-config-id. -
Connect to Mullvad VPN normally.
-
Test for leaks at dnsleaktest.com. You should see NextDNS as the DNS server, not Mullvad’s default.
-
Test that NextDNS filtering is active. Visit a known ad domain; verify it is blocked.
This setup gives you Mullvad’s tunneled traffic with NextDNS’s filtering and analytics. The VPN provider sees encrypted traffic; the DNS provider sees encrypted DNS queries; neither can correlate to your real activity beyond what each layer reveals.
When to not do this
If you do not have a specific reason to split DNS from the VPN: do not bother. The default of “VPN handles everything” is simpler and rarely problematic.
If you are not comfortable testing for leaks: stick with defaults. A misconfigured custom DNS setup can be worse than the default.
If the latency overhead matters more than the trust split: stick with defaults.
For most users, configuring custom DNS with VPN is overkill. For specific users with specific needs, it is worth doing.
A specific recommendation
For most VPN users: stick with the VPN provider’s default DNS. Simpler, fewer failure modes.
For users who specifically want the NextDNS or ControlD filtering and analytics with a different VPN: configure OS-level encrypted DNS to your filtering provider, run your VPN normally.
For users who want to split trust between VPN and DNS providers: set OS-level DNS to a separate provider (Cloudflare, Quad9, etc.) and configure the VPN client to allow custom DNS.
NextDNS | Mullvad | Cloudflare 1.1.1.1
Related: Encrypted DNS friendly guide, NextDNS deep review, Why I keep recommending Mullvad