If I use a VPN, who will resolve my DNS requests?
Will they be resolved by my VPN provider, or by my original ISP (if left on "automatic" settings)? Would I have to manually configure a dns server, to make sure my requests will not be resolved by my ISP (constituting a privacy risk)?
The requests will be passed to the IP that's configured. So if your DNS is still your ISP's DNS, then yes you will still be asking your ISP to resolve a domain name for you.
Windows Vista has an "automatic" setting, the default setting for finding a domain name server (no ip is explicitly set with this setting). If left on automatic, do you think this would mean any dns requests go to my ISP?
I would just set an explicit IP, I don't know what would happen if you use the automatic setting. It might be you do get a new DNS configuration if the VPN provider sends you one when you request an IP. Just test it I guess :)
@Samuel Yes. If you have a standard set up: Router using DHCP then 'automatic' will obtain a DNS server over DHCP which will point to your local router, your local router will then use your ISPs DNS servers for DNS lookups.
What if the VPN tunnel is a virtual interface with it's own DNS configuration? How would the Windows OS's choose DNS server? For Linux, I assume the /etc/resolv.conf will be updated with the newest interface...
Can I do the opposite? I mean, create a VPN only for processing DNS queries (basically, to block ads). While the traffic goes directly to my ISP. Thanks.
Depending on how your VPN is configured, you might or might not use the same DNS for your VPN and for Internet. VPN's are (typically) like an additional IP stack on your system, and can have a separate DNS server address configured. But not all systems do this.
- If your VPN does not assign a new DNS for the VPN session then you will continue to use the DNS server(s) configured in your main Internet IP Stack. This can present a problem if the external DNS cannot resolve internal addresses (or as you indicate, if you don't want internal addresses to be known externally).
- If your VPN does assign a new DNS - for example by using DHCP option 6 "DNS Server" - then you can have different DNS servers for the VPN and for Internet. Your OS must support this, as must the VPN service. If you send traffic out both stacks at once this would be "Split Mode".
- A final option is that you might operate your VPN in Tunnel Mode, sending all communications (including Internet) through the VPN stack. In this case, when you are on the VPN all DNS would use the VPN's DNS. This is probably the most secure way since all internal traffic is sure to stay in the VPN.
Excellent answer, covered all the options here. One other thing to note is that how it is configured can also depend on *which* VPN you're using - not all vendors' products support all the options.
@Mark, Regarding *"Your OS must support this"*, Doesn't all OS support that? How could it be achievable?
@NickG It depends on your VPN client, but yes, there are many VPN clients on Windows that do split mode.
This answer is incorrect regarding "split mode". When a host has to do a DNS lookup, it does not know beforehand if the name it's looking up is in the VPN or not, so it cannot decide if it should use the VPN's DNS server or some other at that time. The closest you can get is to use a domain-specific override through dnsmasq (*nix), the built-in resolver (OSX), or something similar.
Ah, I know that this has been pretty much answered, but I wanted to bring a bit more clarification to the answers here as, in the end, the true answer is completely dependent on how both the server and client are configured. What it sort of boils down to are two things: one is that a vpn tunnel doesn't need to redirect all your traffic and the other is that a VPN server doesn't have to assign a dns server.
**Before I get too into the specifics, I'll just say this.. On windows and you can tell if your DNS is being handed out by your VPN by opening up a cli and typing in "nslookup localhost" and looking at the top. Similarly, if you are using ubuntu you can use "nmcli dev list iface eth0 | grep IP4" ** *. If you do this before and after connecting to a vpn and the dns server listed doesn't change, than your DNS isn't being assigned by your VPN. * If you are using linux, most VPN implementations won't assign a dns server even if the VPN server is configured for it.
You may or may not be assigned a dns server through a vpn based on a) which vpn implementation you are using b) which OS you are using or c) whether or not the server AND client vpn settings allow this. Another common mistake is to run your vpn client without administrator or root privileges. (This often changes only a few options, making the vpn appear to be functional.)
Most VPN services that you can pay for will be configured to redirect all of your IP traffic through the VPN tunnel. (In openvpn, the server option is "redirect-gateway".) This will include DNS traffic and, although it would be less common for a vpn connection that redirects all traffic to not ALSO assign a dns server, it isn't out of the question either. If a DNS Server isn't assigned by the vpn server but your gateway is redirected, the dns traffic will simply go through the tunnel before making it to it's destination. (Lookups are slow but work.)
A popular and generally elegant vpn implementation that is popular in Corporate environments is to have the vpn server assign a DNS server but not redirect your default gateway. This will make connections to things that have internal dns records like Application Servers accessible since they have a private IP address where-as publicly accessible things like websites pass through the internet like normal due to their having Publicly routeable IP addresses. (This is a function of how ip's are routed more than VPN.)
Due to the highly configurable nature of VPNs, there are essentially an infinite variety and styles of vpn, but just know that most vpn tunnes tend to revolve around those two styles.
(Oh, and maybe check out this article for more info.) OpenVPN Routing and Bridging
I was looking for an answer and have tested it out. I changed the following settings and watched my adapters with wireshark.
In Windows you can set up a priority for LAN-Adapters. If your vpn adapter recieved its own ip-settings e.g. from dhcp with its own dns-server entry, and your primary physical lan adapter has also a dns-entry configured, windows will use the dns server from the adapter with the highest priority. In Windows you can set this priority in the options menue from where the different lan-adapter can be configured (ip-adress etc.). Press Alt (to see the extended menue-bar) and navigate to "Advanced"-> "Advanced Settings". In the list the priority is determined by the top-down order of the adapters which can be changed by the arrow-symbols.