Some feedback regarding Proton VPN documentation and some confusion regarding Firefox DNS configuration:

https://protonvpn.com/support/browser-extensions#firefox says:

“By default, Firefox does not route DNS queries through the HTTPS connection to our VPN servers” and then is mentioned a workaround to fix it.

That suggest alarming thing, that ProtonVPN Firefox user has to do some custom workaround in order to be private (prevent a DNS leak).

On another hand, https://protonvpn.com/support/dns-leaks-privacy says:

“DNS queries are routed through the VPN tunnel to be resolved on our servers”

these statements are a bit confusing/contradicting (though Proton later explains that this latest statement does not apply on a browser extension VPN apps) and Proton further adds at https://protonvpn.com/support/dns-leaks-privacy/#dns-over-https that the DNS leak can happen also due to enabled DoH feature in web browser.

Solution: ProtonVPN browser extension should (if possible) warn user in case it fails to process DNS and as a result, it is leaked. Vote for this feature request


Another “issue” is with the above mentioned/linked workaround (here I am speaking only about Firefox), this workaround: go to “about:config into the URL bar and hit <enter>. At the warning, click Accept the risk and continue → search for network.trr.mode”

In my case I had this set that variable to 5 which means DoH “Off by choice”, Proton in said tutorial suggest value 3 instead, which means (According to https://wiki.mozilla.org/Trusted_Recursive_Resolver#DNS-over-HTTPS_Prefs_in_Firefox ) “Only use TRR, never use the native resolver.”.

This confuses me since it looks like an opposite to what i have now, while any DNS leak site:

https://www.dnsleaktest.com

https://ipleak.net

does NOT report leak in my case nor in case i set network.trr.mode to 3. A bit weird but i guess no big deal?

Thanks for your feedback in advance.

  • N0x0n
    link
    fedilink
    English
    arrow-up
    4
    ·
    4 months ago

    Just my 2cent don’t take is to seriously, but having an extansion to act as VPN is a bad idea IMO. Same goes for password managers.

    I would rather suggest to install wireguard on your machine and tunnel all your traffic to protonVPN with a config file you can download from them.

    But that adds extra work to put into place (a few iptables lines) and I get why extensions are popular (ease of install and forget).

    Sorry if it doesn’t add something to your actual question, but we shouldn’t rely to much on extensions, those are mostly open holes for privacy and security.

      • N0x0n
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        4 months ago

        Not saying it’s better than a native app but it’s probably more secure than an extension.

        One benefit I could think of is customization of your configuration. I’m pratically a newbie in networking so take everything with a grain of salt, because a wrongly configured network device is as bad a not having one.

        However, being able to re-route everything to a corresponding wireguard tunnel adding specific rules to each devices, give you more controle of your network flow (Yes this is more advanced stuff and I only scratched the surface of what is possible). There’s way more to it and I lack the proper knowledge, but reading here and there, suggests that extensions are really bad for security/privacy. Also, the more addons you have, the more fringerprintable you are (yes i’m probably over simplifing…)

        Sorry if I lack the technical terms, I’m just a tinkerer and like learning new stuff. If there’s a native app for every device go for it, otherwise I would suggest to find a way to re-route your traffic through a tunnel without the help of a browser extension.

        But hey I’m just some random on the web without any degree, so whatever 🫠