If I use my own VPN and use third party DNS - can I trust it?
For example, is there any possibilities that an attacker can track the requests by contacting the DNS-hosting (assume that attacker have order and DNS-hosting have logs), and find out what sites I have visited? Because DNS requests are bypassing the VPN?
And if there is such a risk, how to solve this problem? Should I use my own DNS server instead of third party for added security?
No, you can't.
It's as easy as you search information about "DNS leak" topic. When you use a VPN, you have the risk of a DNS leak. In other words, your DNS resolution will be made outside your VPN.
Second, VPN server knows (in some way) who you are, where are you from and where you want to go. It's the same risk that exit nodes of Tor Network pose.
Anyway, it depends of how paranoid you woke up today.
You shouldn't trust them. You may suffer from "DNS Leaking". Ideally, your computer should send DNS Requests through the VPN, but it may request it directly. Your IP address will be exposed. Anyone snooping on the connection to the DNS Server will see what site you are accessing. That also opens you up to the dangerous Man-In-The-Middle attack. Use DNSCrypt protocol. It literally encrypts your DNS requests to OpenDNS or a similar provider.
There are really two things you need to trust here: the DNS response's authenticity and privacy.
You can be reasonably sure of the authenticity of the data returned if all of the below are true:
It is more difficult to make the DNS response private. I see two solutions. Either use a server that supports DNSCurve, or tunnel the DNS traffic through the VPN.
Note that you will likely need to change the DNS server you use in either case, as it's unlikely the ISP's DNS server supports DNSSEC, and almost certain it doesn't support DNSCurve. However, you don't need to use your own, you can use reputable public servers such as Google DNS or OpenDNS.
EDIT: Be aware that the response becomes more authentic when it is private, as changing the response becomes a lot harder (Either the DNS server you use needs to be compromised or the VPN server needs to get Man-In-The-Middle'd, depending on which solution you choose.
While using your own VPN you can increase your security, putting the DNS server on the side of the network of the VPN service, and forcing any DNS request going through it through your own local DNS service/proxy.
The ISP/DNS provider of the server/network where the DNS is hosted can however log, intercept and modify your DNS queries.
Setting up a DNS server/caching/proxy server that does not talk with the normal root name servers, but instead talks via TLS with dnscrypt enabled servers you solve in one stroke both the privacy element of your DNS requests and any potential leaking.
For additional security, you should setup up also additional firewall rules that intercept DNS requests coming from your premises/your DNS client that are not using your DNS IP address and force the DNS requests to be sent to your DNS service (for instance, a machine with the Google DNS server 8.8.8.8 setup by hand will those be forced to talk with your DNS services instead).
As an additional security measure, please do note that for instance, OS/X and iPhone allow the setup through profiles of VPN on-demand. In other words, any new connection request wont be satisfied without the VNP going up, thus negating any accidental connection while the VPN is not established.
As a side note, at home I run a DNS server that serves my equipment, and use frequently my own Home VPN, the work VPNs managed by me, and a commercial VPN. In this case, there cannot be DNS leaks to the local ISP as I talk with foreign DNS servers over dnscrypt/TLS.
It is also worthwhile to note that whilst services like https://www.dnsleaktest.com test for leak, the "absence" of a leak does not vouch for your setup; those tests are much more useful when they do find leaks.
As a last reminder, I also would add that policies/firewall rules added by a VPN client, especially default rules added by commercial VPN software, may change expected behaviours of your infra-structure.
To address the DNS leak issue, I'm certain you can obtain the IP address of your VPN provider that you are making the connection to and firewall off all outgoing connections heading to any other IP address on any port other than the specific IP and port being used by your VPN. That will prevent any "leaked" traffic from exiting your network. Done.
After that, only the VPN provider will know for certain which sites you are visiting, and it depends on whether or not they keep logs of your traffic. Your options here are transmitting your data through I2P after you've connected to your VPN.
After that, only large-scale timing attacks such as those from nation-level adversaries are likely to find you.
If you are using a VPN and that VPN is using a public DNS then your requests are most likely anonymous enough. The truth is that if they want to find you badly enough they will.
Running your own DNS would be a bad idea as the requests being sent to a DNS with only one user would stand out as strange. I would say you should find the most popular DNS there is and use that. Conversely you could find out the IP's of the sites you would like to visit and skip DNS all together.
If you are a technical person and also if you are security expert than you should not trust on any third party DNS. Because of there are so many websites and web-server , those are provides their services and also sell their data to another hackers for their profits. So If you have your own well prepared DNS and VPN then trust on yourself only.
