Someone else posted that this isn't a feature they would look for in a VPN, and I'd mostly agree except for one big problem: VPNs are the only way to effectively block things in iOS and (un-rooted) Android, and you can only have one VPN active at a time. This means that you have to choose between either having a proper VPN connected or a fake one to block content you don't like. Mullvad's ads, trackers and malware blocking DNS has been awesome when I'm on my iPhone and don't want to deal with ads in apps. I'm sure some other people who have dependence issues with gambling or adult content would appreciate being able to use their preferred VPN while also blocking content.
On iOS you can install a configuration profile that setup a DNS-over-HTTPS endpoint without touching the VPN settings. NextDNS does this when you install their app from what I remember. For other examples, see the profiles offered by AhaDNS.com[0].
On Android there is a Private DNS option where you can also setup a DNS-over-HTTPS endpoint of your choice.
These options may be also a better choice for battery life than a fake VPN connection.
The android setting wherein you can input a standard DNS-over-HTTPS endpoint is sensible and sane.
Is it, in fact, correct that there is no such setting in iOS and has to be app-enabled ? Or are you saying I can either manage the device with configurator2 and put that setting in or I can install an app (like nextdns) that does it for me ?
Really frustrating that simple config options like DNS server and setting the name of your hotspot SSID are nonexistent in iOS ...
As I understood it was about blocking content (via DNS) *even without a fake VPN connection*. Once you run a VPN connection, most likely its DNS takes over, profile or not profile.
Yes I know but that's what the parent comment(s) are about? Using a profile for DNS settings instead of a fake VPN because you can't run more than one active VPN at a time.
Without disagreeing that folks would want an all-in-one solution, a potential alternative is to use a service like https://nextdns.io/ in addition to your VPN.
This is particularly unlucky for macOS if you want to use a application-firewall like "Little Snitch" - since Apple removed kernelextensions on macOS (which LittleSnitch and others used before) they now have to also fake a VPN. Because of this, you cannot use a custom DNS and Little Snitch. [1]
Upvote for NextDNS. Their platform has been a game changer for me on all devices/computers and really enjoy the granularity of filtering. Happy customer here!
As I've recently been made aware here on HN, on Android system applications can bind to an arbitrary interface so they can effectively bypass the VPN system. I don't think it happens often in practice, but it's something to keep in mind.
on paper (Android 8 and up) has the always-on type VPN that blocks any network connection not using the vpn (disallows bypass). Didn't poke it yet how it works if multiple apps create VPNs, I assume only one VPN of this type can be active
The single app restriction is a consequence of how the API works, but the always on VPN doesn't prohibit system apps from binding to an interface and bypassing the VPN configuration.
This kind of makes sense, you probably want a modem manager to talk to the modem interface directly, but it can be abused by data hungry manufacturers and perhaps Google.
By using a WireGuard VPN you could actually be connected to multiple endpoints at a time, if you are able to set the same tunnel IP for all endpoints.
That would enable you to have that one connection open routing to different servers (Mullvad / Homelab / Offsite Lab / Work / etc ...) hence also using your own DNS resolver with a commercial VPN.
