Some feedback regarding Proton VPN documentation and some confusion regarding Firefox DNS configuration:

https://protonvpn.com/support/browser-extensions#firefox says:

“By default, Firefox does not route DNS queries through the HTTPS connection to our VPN servers” and then is mentioned a workaround to fix it.

That suggest alarming thing, that ProtonVPN Firefox user has to do some custom workaround in order to be private (prevent a DNS leak).

On another hand, https://protonvpn.com/support/dns-leaks-privacy says:

“DNS queries are routed through the VPN tunnel to be resolved on our servers”

these statements are a bit confusing/contradicting (though Proton later explains that this latest statement does not apply on a browser extension VPN apps) and Proton further adds at https://protonvpn.com/support/dns-leaks-privacy/#dns-over-https that the DNS leak can happen also due to enabled DoH feature in web browser.

Solution: ProtonVPN browser extension should (if possible) warn user in case it fails to process DNS and as a result, it is leaked. Vote for this feature request


Another “issue” is with the above mentioned/linked workaround (here I am speaking only about Firefox), this workaround: go to “about:config into the URL bar and hit <enter>. At the warning, click Accept the risk and continue → search for network.trr.mode”

In my case I had this set that variable to 5 which means DoH “Off by choice”, Proton in said tutorial suggest value 3 instead, which means (According to https://wiki.mozilla.org/Trusted_Recursive_Resolver#DNS-over-HTTPS_Prefs_in_Firefox ) “Only use TRR, never use the native resolver.”.

This confuses me since it looks like an opposite to what i have now, while any DNS leak site:

https://www.dnsleaktest.com

https://ipleak.net

does NOT report leak in my case nor in case i set network.trr.mode to 3. A bit weird but i guess no big deal?

Thanks for your feedback in advance.

  • N0x0n
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    3 months ago

    Not saying it’s better than a native app but it’s probably more secure than an extension.

    One benefit I could think of is customization of your configuration. I’m pratically a newbie in networking so take everything with a grain of salt, because a wrongly configured network device is as bad a not having one.

    However, being able to re-route everything to a corresponding wireguard tunnel adding specific rules to each devices, give you more controle of your network flow (Yes this is more advanced stuff and I only scratched the surface of what is possible). There’s way more to it and I lack the proper knowledge, but reading here and there, suggests that extensions are really bad for security/privacy. Also, the more addons you have, the more fringerprintable you are (yes i’m probably over simplifing…)

    Sorry if I lack the technical terms, I’m just a tinkerer and like learning new stuff. If there’s a native app for every device go for it, otherwise I would suggest to find a way to re-route your traffic through a tunnel without the help of a browser extension.

    But hey I’m just some random on the web without any degree, so whatever 🫠