You are not logged in.

#1 2026-06-27 13:24:58

Archttila
Member
From: Hungary
Registered: 2021-11-16
Posts: 28

Mullvad with custom NextDNS: DNSOverTLS is disabled on the wg0 interfa

Hi everyone,

I'm trying to set up NextDNS as a custom DNS on a server running Mullvad VPN, but systemd-resolved doesn't seem to use DNSOverTLS (DoT) on the WireGuard interface, even though I think my configuration is correct.

Here is what I'm seeing:

mullvad dns get

Custom DNS: yes
Servers:
45.90.28.xx
45.90.30.xx

resolvectl status

Global
Protocols: +LLMNR -mDNS +DNSOverTLS DNSSEC=yes/supported
Link 2 (eth0)
Current Scopes: DNS LLMNR/IPv4
Protocols: +DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=yes/supported
Link 4 (wg0-mullvad)
Current Scopes: DNS
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=yes/supported

As you can see, wg0-mullvad has -DNSOverTLS instead of +DNSOverTLS.

Here is my resolved.conf

[Resolve]
DNS=45.90.28.0#mindegy.dns.nextdns.io
DNS=45.90.30.0#mindegy.dns.nextdns.io
DNSOverTLS=yes
DNSSEC=yes
Domains=~.

And the output of resolvectl state for the interfaces:

Server: 45.90.28.0#mindegy.dns.nextdns.io 
                               Type: system
             Verified feature level: TLS+EDNS0+DO
             Possible feature level: TLS+EDNS0+DO
                        DNSSEC Mode: yes
                   DNSSEC Supported: yes
                                          
Server: 45.90.30.0#mindegy.dns.nextdns.io 
                               Type: system
             Verified feature level: n/a
             Possible feature level: TLS+EDNS0+DO
                        DNSSEC Mode: yes

Server: 45.90.28.0#mindegy.dns.nextdns.io 
                               Type: link
                        Interface: wlan0
                  Interface Index: 3
             Verified feature level: TLS+EDNS0+DO
             Possible feature level: TLS+EDNS0+DO
                        DNSSEC Mode: yes
                   DNSSEC Supported: yes
                                          
Server: 45.90.30.0#mindegy.dns.nextdns.io 
                               Type: link
                        Interface: wlan0
                  Interface Index: 3
             Verified feature level: n/a
             Possible feature level: TLS+EDNS0+DO
                        DNSSEC Mode: yes
                   DNSSEC Supported: yes

Server: 45.90.28.xx                
                              Type: link
                         Interface: wg0-mullvad
                   Interface Index: 5
            Verified feature level: UDP+EDNS0+DO
            Possible feature level: UDP+EDNS0+DO
                       DNSSEC Mode: yes
                  DNSSEC Supported: yes
                                    
Server: 45.90.30.xx                
                              Type: link
                         Interface: wg0-mullvad
                   Interface Index: 5
            Verified feature level: n/a
            Possible feature level: TLS+EDNS0+DO
                       DNSSEC Mode: yes
                  DNSSEC Supported: yes

On wg0-mullvad, it falls back to UDP+EDNS0+DO (plain UDP) instead of TLS.

My questions:
1. What could be causing systemd-resolved or Mullvad to strip/ignore DoT on the WireGuard link?
2. Does it even make sense to force DoT inside an already encrypted VPN tunnel (since Mullvad encrypts everything end-to-end to their server anyway)?

Any insights would be highly appreciated!

Offline

#2 2026-06-28 14:47:35

-thc
Member
Registered: 2017-03-15
Posts: 1,154

Re: Mullvad with custom NextDNS: DNSOverTLS is disabled on the wg0 interfa

Archttila wrote:

1. What could be causing systemd-resolved or Mullvad to strip/ignore DoT on the WireGuard link?

I'm not sure. I use a self-hosted WireGuard VPN with a self-hosted DoT server and my combo (NM/system-resolved) doesn't show this behavior. But: I have enabled DoT only on the WireGuard link (via NM) and not globally (via resolved.conf).

My best guess: NextDNS "realizes" that your connection comes from the Mullvad VPN IP space and "decides" DoT isn't needed.

Archttila wrote:

2. Does it even make sense to force DoT inside an already encrypted VPN tunnel (since Mullvad encrypts everything end-to-end to their server anyway)?

That depends on your level of paranoia. If your only goal is to prevent your provider/government/whatever to eavesdrop on your DNS queries either DoT or a VPN is sufficient. In your current config Mullvad is able to eavesdrop on your DNS queries. And when either the VPN or DoT fails...

Offline

Board footer

Powered by FluxBB