[orivej]

I'm using Mullvad. On the plus side, their servers are the most reliable I have seen, and they provide IPv6 addresses (behind NAT, which is reasonable for privacy). On the minus side, since November 2017 they intercept DNS queries and answer them themselves (hence you can not use DNS service of your choice), unless you connect to a specific undocumented OpenVPN port (1400 or 1401) available on a small but diverse subset of their servers.

[kup0]

Interesting. Good info to know. Have they specified a reason for intercepting DNS?

[orivej]

I believe I can quote the response to my support request:

«We added iptables rules to hijack all DNS requests on port 53 going via the VPN tunnel, this is to protect users having set a DNS server unknowingly (or by malware). We are aware that not all users want this behaviour, and we intend to add an extra port that OpenVPN listens on, where DNS hijacking will not happen.»

Some VPN providers (including Mullvad) have a client-side feature called DNS leak protection that configures the system to use the provider's DNS server. I don't know how Mullvad decided that this was not enough, and they are justified to intercept DNS. (Note that for the server-side intervention to work, the client side must be configured not to use ISP DNS, hence the client-side DNS leak protection is a prerequisite.)