This article is about digital privacy and specifically, safeguarding your privacy online through the use of Virtual Private Networks and Domain Name System masking services.
Making sense of privacy solutions is challenging; especially figuring out what services you or do or don't need, and how they meet your needs. Depending on your goals, a single privacy service may be inadequate to meet your needs, and some services influence others. Your risk profile, and the pros and cons of various solutions should be taken into consideration before selecting one or more products. Trade-offs between convenience, privacy, and risk need to be fully vetted.
In this article, I'll compare and contrast different strategies to mitigate risks impacting your digital privacy and data security through various combinations of privacy enhancing services, with a particular focus on the benefits and pitfalls of combining privacy-enhancing services. Topics include:
- Use Cases
- Privacy Solutions Matrix
- Dynamic vs. Static IP Addresses: Which Is Better?
- VPN vs. Smart DNS vs. Dedicated DNS
- Cost Comparison
- Dedicated Streaming Devices
- Dynamic DNS: Splitting the Difference
- VPN + Dedicated DNS
- VPN + Smart DNS
- Routers: Piping a LAN Through VPN and/or Smart DNS
- Multiple Devices, Multiple Geographic Regions
Identifying Your Needs
I've spent a considerable portion of my career working in product management. One of the core concepts of product management is User Stories. A user story is a short narrative describing a need of your product's target audience. It serves as a guide for a product development team, to help them grasp the nuances of a functional requirement and visualize how it can best be incorporated into an existing product. For example, let's say you work for a company manufacturing baby strollers. One of your use cases could be describing how parents would like someplace to hold a diaper bag containing various paraphernalia for the baby being transported in the stroller. Your company might develop a hook on the side of the stroller that holds the strap of the bag. Another company might have a competing product and be working on a similar use case. The other company develops a basket to place the bag in, resting behind and underneath the baby compartment. Different development teams often come up with different methods of solving the same problem, particularly when the problem is loosely defined as was the example I gave. Neither is "wrong" per se, but the customer base may consider one a better design than the other. Most likely, each design will appeal to a different segment of the target audience.
The point of my example is while customers may have similar needs, they are often not identical. Data privacy and security are the same way. Some people are more concerned with privacy than others, and some people place a higher value on convenience and are willing to give up some privacy in exchange for a reduction in work. An example of this is a navigation system on a mobile phone. That navigation app is reporting your location and your activity back to a central server somewhere. You are exchanging information on your current whereabouts (a reduction in privacy) for the convenience of not performing the work yourself of reading a map and calculating the most efficient route.
Use Case Scenarios
Are you more concerned with concealing your identity and/or online behavior (anonymity)? Are you concerned with protecting data transmissions from interception? Do you just want the ability to access localized Netflix content in any country? Something else? We all have a unique set of needs and wants.
Some privacy solution products make sense to combine. Used together, they can harden your privacy wall or the integrity of your data. Or they can provide unique abilities, such as accessing digital content in multiple different worldwide regions simultaneously. Below, I'll go over the typical use of some of the most common privacy enhancing tools, the use cases they support, and why various combinations of privacy solutions are positively or negatively aligned with those scenarios.
Virtual Private Networks (VPNs). Dynamic DNS. Smart DNS. Dedicated DNS. Proxy servers. VPNs. How do you know which one (or combination) of services you need? Do you understand what these things are?
If not, you may want to check out these articles:
Here's a short list of common privacy challenges and services you may use to overcome them.
|Internet Data Privacy Solutions|
|1||ISP Only1||This is your base: ISP provided Internet with no added services|
|2||Dynamic DNS Only2||Access LAN remotely when LAN has dynamically assigned IP address|
|3||Smart DNS Only||Access geo-restricted digital content|
|4||VPN only||Anonymity, data privacy, data protection|
|5||VPN + Dedicated DNS||Total anonymity is paramount|
|6||VPN + Smart DNS||Anonymously access geo-restricted digital content|
|7||Smart DNS/VPN||Get around geo-fencing when not using VPN|
|8||Smart DNS/VPN + Smart DNS||Geo-restricted content in two (2) different regions, simultaneously|
|9||Router uses VPN3||Automatic privacy and data protection for a local network|
|10||Router w/Smart DNS3||Seamless integration of all devices thru Smart DNS|
|11||Router w/Smart DNS + VPN3||Normal traffic thru VPN; geo-restricted content access via Smart DNS|
Note these services relate just to your internet traffic. Any network traffic on your LAN (Local Area Network) won't use them.
Privacy Solutions Matrix
Here is a synopsis of 26 strategies, scored based on their strengths in addressing three core concepts:
- Digital privacy
- Data security
- Circumventing geographic content restrictions
The strategies are grouped by VPN (only), Smart DNS (only), and combinations of a VPN + a Smart VPN service. The service types are grouped into these categories because VPN and Smart DNS solutions are generally regarded as the best methods of managing online privacy/data integrity (VPN) and getting around geofencing (Smart DNS). For more detailed information on these subjects, you may wish to read Why Do You Really Need (or Want) a VPN? and/or Locked Out: Circumventing Geofenced Content, respectively.
Which combinations of ISP IP address type, VPNs, and DNS are the best? It depends on what is important to you. Is it security, privacy, cost, functionality? Are you passtionate about being able to access digital content that is blocked in the country or region of the world where you live? If your priorities encompass more than one factor, you'll need to study the comparison tables in this article to decide what's the right option for you. My primary recommendation is that you avoid any option in the chart under the "Rec" (recommended) column that says "No." Those choices should be avoided (in my opinion), because they expose you to unnecessary risks.
|Privacy/Security/Geo-fencing Solutions Matrix|
|#||ISP IP Type4||ISP DNS5||VPN6||VPN DNS7||Score8||Rec9|
Solutions 1-4 (above) consist of a dynamic ISP address and various combinations of VPN types.
Solutions 5-8 consist of a static ISP address and various combinations of VPN types.
|Smart DNS / Dynamic DNS|
|#||ISP IP Type4||ISP DNS5||VPN6||VPN DNS7||Score8||Rec9|
Solutions 9-16 represent standalone Smart DNS configurations. A Smart DNS with any combination of ISP address type is good. Just be sure this type of solution is what you want. A Smart DNS fills a very specific niche. Coupling it with a Dynamic DNS in some instances is also an option. Doing so does not diminish the viability of these solutions, however you do introduce some risk of inconvenience in the form of more potential maintenance. This issue is explained under Dynamic DNS. If you can find a single provider offering both services - and those services exchange information to keep track of your actual IP address at any given time - I would suggest going that route (single source provider for both).
The only reason solution 16 is rated "OK" (or "acceptable") is because it's redundant. Why would anyone subscribe to a Dynamic DNS service when they have a static IP address from their ISP? Pointless waste of resources. Please make sure you understand what services you're buying (and why) before you buy.
|VPN + DNS Solutions|
|#||ISP IP Type4||ISP DNS5||VPN6||VPN DNS7||Score8||Rec9|
Now that you've reviewed the table of solutions matrixes above, let's break down what the table means and why each scenario is scored as it is. Some of the scoring and recommendations are not obvious and require analysis of the underlying services.
Dynamic vs. Static IP Addresses: Which Is Better?
Does your Internet Service Provider (ISP) assign dynamic or static IP addresses? Do you understand the difference? Which do you have?
A static IP address means your device's address on the Internet never changes.
A dynamic IP address is one that changes periodically.
Most networks assign dynamic IP addresses by default. Most private networks (e.g. internal corporate networks) only assign static IP addresses to devices when there is a particular need to keep track of it consistently. For example, in order for users to reach a web server, there needs to be a way for them to find it consistently. That problem is usually solved with a static IP address. There are ways around this, but they require utilizing other techniques and tools, such as Dynamic DNS.
Many (but not all) ISPs allow their customers to request a static IP address for a public internet connection. This usually comes at an additional cost. Static IP addresses normally cost more for several reasons. One is because they are in demand. A static IP address makes a lot of logistics easier, particularly if you're incorporating certain privacy-based services into your online behavior, or if you want the ability to initiate a connection to your device from outside your local network. For instance, if you have a server in your home interacting with a number of Internet-of-Things (IoT) devices, you might need a static IP address for your home's router so you can connect to it from a remote location at any time.
Static IP = More Convenience, Greater Vulnerability
Did you happen to notice in the privacy solutions matrix VPN Only table above, 50% of the standalone VPN configurations are not recommended? Did you notice why? They all share a common trait: static outbound IP address from the VPN server. Why is this a problem? If you have the same public facing IP address all the time - even through a VPN - it's much easier for a malicious third party to track you and map your behavior. Thus, from a privacy protection standpoint, this approach is overtly vulnerable.
A static IP address reduces online privacy, because it is easier for 3rd parties to identify you. Dynamic IP addresses make it more difficult for a third party to profile you. Looking at this from a broader perspective, if enough data is collected, anyone can be profiled. Web browser signatures, DNS location records, and similar information monitored over time can be used to build a user profile. Web browser signatures in particular make exceptional data points for differentiating users. Browser fingerprinting, as it is often called, has a greater than 99% accuracy rate.12
|Privacy Risk vs. Convenience by Outbound IP Address Type|
|Inconvenience||High||Very Low||Low||Very High||Low|
|Privacy Protection||Moderate||Very Poor||Moderate||Very Good||Poor|
Dynamic IP = Less Convenience, Greater Protection
A dynamic IP address issued by your ISP puts you in a better starting position from an online privacy standpoint. However, this comes at a cost; namely, convenience. In order to allow in-bound services (incoming connections to your true IP address), you need a method of knowing what your true IP address is at any given time. Take the IoT example above. If you want to remotely connect to IoT devices in your home, whatever application you use needs to know how to find your home's connection on the Internet (i.e., it's IP address). To solve this problem, you need a reference point; something that can determine what your ISP-assigned IP address is at any given moment. When that IP address is subject to change, this is obviously a challenge. The simplest way to solve that problem is to install a program on one of your network-attached devices in your home that periodically pings a remote server, whereby the remote server is able to associate the IP address your ping originates from with you (e.g. via an ID of some sort). That is exactly how a Dynamic DNS service works!
VPN vs. Smart DNS vs. Dedicated DNS
Is a Virtual Private Network (VPN) a viable alternative to unblock geo-fenced content, relative to a Smart DNS? What are the pros and cons of one versus the other?
Here's a chart that sums up the pros and cons of a VPN with and without a Smart DNS or dedicated DNS, compared with one another, or using none of them.
|Content vs. Privacy vs. Security vs. Speed|
What does a Smart DNS cost versus a VPN? What if I want to use both? Here is a random sample of Smart DNS providers and their cost.
|Smart DNS vs. VPN Monthly Cost USD|
|Smart DNS Provider||Monthly Rate|
|OverPlay.net||$ 4.16 - 4.95 USD|
|SmartDNSProxy.com||$ 2.08 - 4.90 USD|
|SmartDNS||$ 2.08 - 4.90 USD|
|Unblocker||$ 4.16 - 4.95 USD|
As you can see, there's not a lot of differentiation. The low end of the price ranges represent longer term contract commitments (12 months or more), and the higher prices represent shorter-term agreements (e.g. 1 month).
|Smart DNS and VPN Monthly Cost USD1|
|Average Monthly Cost||$ 5-10 USD||$ 10-15||$ 5-10||$ 10-15|
The additional cost of adding a second service is minimal.
Dedicated Streaming Devices
If your sole interest in accessing geo-restricted content? Do you intend to stream media to a TV, projector, or whatever? Is that your only goal? If you said, "Yes" to all three, then your situation is a no-brainer! Just sign-up for a Smart DNS service. Most likely, you should require just one subscription per public-facing IP address utilized by your devices.
Dynamic DNS: Splitting the Difference
There are times when - for whatever reason - you have an application that is inbound, when you wish to originate communications with a device on your local network from the Internet. Naturally, in order to do so, you need to know your IP address. If your ISP assigns IP addresses dynamically - meaning you do not always have the same IP address - then herein lies the problem. If your IP address is prone to change from time to time, it makes it very difficult to reliably initiate connections to it remotely. Dynamic DNS solves this problem by acting as a pointer to your real IP address, and keeping track of changes to it.
Dynamic DNS is a generic term. It refers to both a practice and a type of service. To put this in perspective, you can think of a Dynamic DNS provider as a sort of DNS forwarder. Even though the term is not technically correct, functionally that is what is happening. Dynamic DNS service providers maintain an updated reference point for a host device on the Internet with a dynamic IP address. They accomplish this through two processes: 1) creating a unique domain name for you; and 2) monitoring your real IP address in near real-time, via an application you install on your local network that repeatedly "pings" the dynamic DNS server.
Whenever you need to communicate with your local network from a remote location, you simply reference the DNS record of your unique domain name. The dynamic DNS provider acts as an authoritative DNS provider and when queried, it provides the current IP address associated with the unique domain name.
Interested in learning how Dynamic DNS servers work?
Dynamic DNS Increases Your Risk Profile
Unfortunately, using a Dynamic DNS service exposes you to many of the same privacy concerns afflicting static IP addresses. And in fact, in some respects a Dynamic DNS is less secure than a static IP address! How is this possible?
Your unique domain name is static. If that is discovered, anyone can resolve the DNS record of your unique domain name, which will point directly to your actual IP address. If your IP address changes, it doesn't matter. Your unique domain name follows you. If you had a static IP address and you changed it, an interested 3rd party would have to find you again. Thus, it's possible for Dynamic DNS to make a dynamic IP address less secure than a static IP address!
Be judicious with whether or not you utilize a dynamic DNS service in the first place, and if so how. For example, if you have a dynamic DNS account and connect to a VPN, if all of your internet traffic is routed through the VPN, the application that "pings" the dynamic DNS server will also traverse your VPN. As it is constantly reporting your current outbound IP address, suddenly the IP address associated with your dynamic DNS unique domain name will become the outbound address of your VPN connection. This may or may not be desirable, depending on your circumstances. Either way, the point is you should familiarize yourself with all the tools you are considering using before deploying them. Otherwise, unanticipated (and potentially undesirable) results may occur!
VPN + Dedicated DNS
VPN + Smart DNS
Thinking of signing up for both VPN and Smart DNS services? First, you will need to make some decisions prioritizing privacy, data security, convenience, and cost. When planning your network configuration, it's prudent to review the type of data you plan on routing through a VPN and/or via a Smart DNS. Will you use a VPN to transmit sensitive information? Smart DNS services increase your risk profile relative to certain security threats. If you're thinking of using both services on the same device, it may be prudent to plan on isolating your VPN traffic from the Smart DNS.
Will your internet connection pass through a VPN intermittently? Do you plan to use a VPN for certain data transmissions, and an open (non-VPN) internet connection for others? Any scenario besides "always through a VPN" or "never through a VPN" makes using a Smart DNS more complicated. If you are considering a Split VPN, will you require Smart DNS services for both VPN-protected data and non-VPN protected data? If so, you will likely find the process easier to manage (and more secure) with two (2) independent Smart DNS accounts.
Once you've determined how you'd like your Smart DNS and VPN to function in relation to one another, its time to evaluate your options further, based on your VPN connection types.
Dynamic vs. Static IP Addresses
An important factor to consider is whether your VPN's IP address assignments are static or dynamic. Just like ISPs, most VPN service providers assign dynamic IP addresses. It's a bit more complicated with VPNs because you need to keep track of both an in-bound IP address (the one you connect to) and an out-bound IP address (your IP address seen by other devices on the Internet via the VPN). This makes using a Smart DNS significantly less convenient and more complex (even though it only cares about your outbound VPN IP address).
Most VPNs are dynamic. If your public (outbound) IP address changes every time you establish a new VPN connection, it's dynamic. This is a hindrance to using Smart DNS services because the "smart" portion of it - the part that gets you around geofenced content censoring - requires your outbound IP address must be known ahead of time and preset within the Smart DNS service. The problem you're going to encounter is every time you reconnect to the VPN, your outbound IP address changes. This means your Smart DNS service provider likely has - at that moment - the wrong IP address for your account, resulting in the Smart DNS service not working for you. While the provider's DNS servers may still function for normal DNS lookups (acting as a normal DNS resolver), the regional content service you're paying for won't work. In effect, every time you wish to take advantage of circumventing geofenced content restrictions, you will have to first reset the IP address in your Smart DNS account to your current IP address assigned to you by the VPN. Obviously, if your IP address changes frequently, the whole process quickly becomes rather inconvenient. For more information on this topic, see How Smart DNS Works.
The term dynamic VPN may also refer to the inbound IP address your host device connects to when establishing a connection with a VPN server, during the initialization process. The VPN server's inbound connection may be defined as a unique domain name rather than a particular IPv4 or IPv6 address. When this is the case, it is normally because the inbound IP address fluctuates. This behavior has no bearing on a Smart DNS association with a VPN, as the former is only concerned with the outbound IP address of the VPN server.
What if you have a static outbound IP address with a VPN provider? In that case, with a single Smart DNS account, you may choose whether to utilize the circumvention of geofencing feature of the Smart DNS either when the VPN is active or when it isn't, but you will need to choose on or the other and set your Smart DNS account preferences accordingly. You could also consider setting up two independent Smart DNS accounts so that getting around geographic content restrictions would work all the time regardless of whether you were using the VPN or not. However, I recommend against this practice unless you are purposely interested in accessing content in two different geographic regions that are not your native region, simultaneously. Outside that scenario, there's not a good reason to adopt such a method.
When Your Smart DNS and VPN Are the Same Provider
If you want to use a VPN and get around geographic digital content restrictions, this is usually the best of both worlds, and is especially true if your ISP assigns IP addresses dynamically. Of course, I do have a caveat as usual, and in this case it is: do your homework first! Be certain you understand how the service provider handles the relationship between their VPN service and Smart DNS service. Personally, I'm not fond of this scenario becauase you are exposing all your activity to a single provider (who hopefully does not log such information). Regardless of their claims about whether they log your behavior or not, the fact is they have the physical means to do so at any time. Preferably, the service provider is hosting both services themselves, the Smart DNS is private (meaning it is only accessible if you have an account, associated with your ISP-assigned IP address), and when utilizing the VPN your DNS queries are automatically routed to the private DNS server.
When Your Smart DNS and VPN Are Different Providers
When you purchase Smart DNS and VPN services separately, you're giving yourself more work (the onus is on you to coordinate the two services working together as desired), but you gain control and the opportunity to retain a higher level of privacy and anonymity. This method can provide you with privacy advantages by preventing any single organization from being aware all your activity. However, it does require forethought and planning. Depending on your implementation and goals, it could also be quite tedious at times.
If you connect to a VPN first and then a Smart DNS, the Smart DNS provider will see your DNS requests emanating from your VPN's external (Internet) facing IP address and not your real IP address assigned to you by your ISP (Internet Service Provider). On the other hand, in that situation your VPN provider will be capable of viewing your DNS requests to the Smart DNS provider. If your DNS queries operate outside your VPN, your ISP will be able to view your DNS requests, but your VPN provider will not.
It all depends on how you have configured handling your DNS through your device (default DNS queries) and if applicable, via your VPN (which may or may not allow you to specify a separate DNS server path when connected to the VPN - normally they do). One way or another, either your ISP or your VPN provider will theoretically be able to view your DNS queries, depending on whether the DNS query occurs outside of your VPN secure tunnel or not. Only you can determine the combination and sequence of actions that works best for you. Personally, any company who I'd trust with providing me with VPN service, I would trust unequivocally over an ISP.
No matter how you handle it, the result is either an inconvenience (more work) or a compromise (less privacy). Ask yourself why you signed up for a VPN in the first place. I recommend keeping these activities separated to the extent you can tolerate the nuisance of any manual fiddling. If you choose to have both services provided by the same organization, you will have to hope they are true to their word with regards any claims they make describing how they keep the services separated (if they do). Reputable Smart DNS and VPN providers will maintain a firewall between the services that keeps them blind to each other in regards to logging (or better yet, no logs).
Routers: Piping a LAN Through VPN and/or Smart DNS
Most home and small office users access the Internet from behind a router of some sort, allowing them to connect multiple local devices via WiFi and/or fixed wire. Local devices share the same outbound connection and appear to the outside world as the same IP address (assigned to you by your Internet Service Provider).
Some routers support VPN services. If yours does, you may wish to consider setting up your VPN account on the router instead of an individual device or two on your network. This concept has several advantages. For instance, you can choose to route all internet traffic that passes through the router via your VPN. Or you may decide to route traffic from certain devices over the VPN, and have other devices connect to the Internet via your ISP's normal IP address. The possibilities will depend on your router's capabilities, compatibility with the VPN service provider you've chosen, and your abilities.
Similar options exist if you'd like to have all the devices on your local network use a Smart DNS service, or you want some devices to use your Smart DNS service and to have some not use it. Again, it's a matter of configuration, though in this case all routers support DNS settings. If you want all the devices on your network to use the same Smart DNS service, simply configure the DNS pointers in your router's network configuration settings to point to the Smart DNS service of your choice. Then instruct each device to use your router as its DNS resolver (look for its DNS settings under each device's network configuration settings).
Multiple Devices, Multiple Geographic Regions
Do you want simultaneous access to content from multiple different geographic regions? If so, I recommend a strategy using static IP addresses and multiple Smart DNS accounts. This can be implemented via either ISP-assigned static IP addresses or a VPN service that allows multiple connections (nearly all do), or a combination. In a nutshell, the process is:
- Dedicate each outbound IP address to a different geographic region
- Setup an independent Smart DNS service account for each instance you require
- If one instance will be your local region, you don't need a Smart DNS for it
How do you assign a different static IP address to each device on your LAN?
How do you get multiple static IP addresses? One of two ways: Assigned by your ISP; or by tossing a VPN into the mix. The ISP route is a simpler solution, but if that's not an option or you prefer to handle it via a VPN and virtual interfaces, then you will need to establish multiple VPN connections. In the case of the latter, each VPN connection will be assigned a separate IP address by your VPN provider.
The VPN is certainly more challenging to get working well. First, you need to determine whether or not you'll be assigned consistent static outbound IP addresses by the VPN service provider. If an option, that is a preferred solution and will behave almost identically to a multi-static IP configuration assigned by an ISP. If that's not in the cards, you will have to adjust the settings of your Smart DNS service every time you reconnect to the VPN (because your outbound IP address will change and require re-association with the Smart DNS service).
Here's a high-level summary of the steps involved when your ISP provides a range of static IP addresses for your use:
- Request a group of static IP addresses from your ISP
- Using a reasonable firewall/router, NAT each relevant device to a different static IP address
- Set up one (1) Smart DNS account for each device you've associated a Smart DNS account to (each has their own static IP address)
- NAT all remaining local network traffic to another static IP, not associated with a Smart DNS account
The last step provides you with another network path (outbound IP address) not routed through a Smart DNS, just in case there are some connections where that experience is undesirable for whatever reason.
The process via VPN software is similar. The primary difference is the VPN interface on the client-side (your device) will act as a router. That may be an actual router or it may be a host. It all depends on your needs, equipment, and capabilities.
VPN and Smart DNS As Separate Services (Co-Existing)
There's no reason you can't allow different devices on your local network to use either the VPN or Smart DNS, or both (even at the same time). For instance, if you have multiple devices on a LAN (Local Area Network) in your home, it may be possible for you to divert certain devices to your Smart DNS and allow certain devices to use your VPN service. You can even allow certain devices to use both. For instance, you might use a VPN on a laptop for accessing your office remotely and you might use streaming devices to watch movies and TV, such as a Roku or Amazon Fire Stick. Most streaming devices allow you to manually edit their network settings. This enables you to do things such as pointing a streaming device to a Smart DNS service to checkout content in another country, while simutaneously using your laptop to login to a website over your VPN.
12 Eckersley, Peter. How Unique Is Your Web Browser? Electronic Frontier Foundation. https://panopticlick.eff.org/static/browser-uniqueness.pdf