Easy HNS logo
Easy HNS
VPN Guide

Use Easy HNS with a VPN without guessing which DNS layer wins.

Easy HNS can work well inside an encrypted VPN tunnel, but the result depends on where DNS is actually configured. This page separates browser DoH, VPN app custom DNS, router DNS, and system-wide DNS so Handshake keeps working for the reason you expect.

The short version

Whole-device VPN DNS

51.24.7.1

Browser Secure DNS

https://dns.easyhns.com/dns-query

Main trap

The setup works, but a different DNS layer actually won.

Whole-device inside a VPN

If your VPN app supports custom DNS by IP, use 51.24.7.1. That is usually the cleanest whole-device path to Easy HNS.

One browser inside a VPN

If you only need one browser, use https://dns.easyhns.com/dns-query in that browser's Secure DNS or DoH field.

Know which layer wins

Browser DoH can override router and system DNS. Some VPN apps force their own DNS unless they explicitly support custom DNS.

Use The Right Value

The value depends on the field.

This is the part that causes most avoidable mistakes. IP fields want the raw IP. Secure DNS fields want the full DoH URL. DoT or Private DNS fields want the hostname only.

VPN app / router DNS by IP

51.24.7.1

Use this in custom DNS fields that ask for a raw DNS server IP.

Browser DoH / Secure DNS URL

https://dns.easyhns.com/dns-query

Use this in browser Secure DNS or custom DoH URL fields.

DoT / Private DNS hostname

dns.easyhns.com

Use this only in hostname-based DoT or Private DNS fields.

Works functionally

Handshake domains resolve somewhere, so the site opens.

Works exactly as intended

Easy HNS is the resolver actually in use, and the DNS path is going through the VPN tunnel the way you meant it to.

Compatibility Matrix

This is the practical difference between ‘it works’ and ‘it works the right way.’

Most confusion comes from mixing browser DoH, router DNS, VPN DNS, and system DNS. This table keeps the winning layer clear.

Scenario 01

Best

VPN app custom DNS by IP = 51.24.7.1, browser DoH off

Handshake works?

Yes, usually

Easy HNS is the resolver?

Yes, usually

DNS goes through VPN?

Usually yes

Main caveat

Often the cleanest whole-device route, but still verify that the VPN app really honors the custom DNS setting.

Scenario 02

Best

Browser DoH = https://dns.easyhns.com/dns-query, VPN app running

Handshake works?

Yes, in that browser

Easy HNS is the resolver?

Yes, in that browser

DNS goes through VPN?

Usually yes

Main caveat

Good browser-only route. The rest of the device may still use the VPN provider's DNS.

Scenario 03

Avoid

System DNS = 51.24.7.1, but the VPN app forces provider DNS

Handshake works?

Maybe

Easy HNS is the resolver?

No, usually

DNS goes through VPN?

Yes, but likely not to Easy HNS

Main caveat

This is the classic false-positive setup: Easy HNS looks configured, but the VPN app wins.

Scenario 04

Test carefully

Apple Easy HNS profile + a separate VPN app on the same device

Handshake works?

Maybe

Easy HNS is the resolver?

Maybe

DNS goes through VPN?

Usually yes

Main caveat

Some VPN apps replace managed DNS settings. The profile can stay installed while the VPN still overrides it.

Scenario 05

Best

VPN runs on the router + router DNS = 51.24.7.1, browser DoH off

Handshake works?

Yes, usually

Easy HNS is the resolver?

Yes, usually

DNS goes through VPN?

Usually yes

Main caveat

Good whole-network path, but only for devices that actually follow router DNS.

Scenario 06

Acceptable only if deliberate

VPN runs on the router + the browser still uses its own DoH

Handshake works?

Yes, maybe

Easy HNS is the resolver?

Not necessarily

DNS goes through VPN?

Usually yes

Main caveat

The browser can override router DNS completely. If its DoH points elsewhere, Easy HNS is not the active resolver there.

Scenario 07

Best

Mullvad app on a laptop + Easy HNS in browser DoH (https://dns.easyhns.com/dns-query)

Handshake works?

Yes, in that browser

Easy HNS is the resolver?

Yes, in that browser

DNS goes through VPN?

Usually yes

Main caveat

Practical fallback when you want the browser to be explicit, even if the rest of the device stays on Mullvad DNS.

Scenario 08

Best if supported

Mullvad app on a laptop + Easy HNS as custom DNS by IP (51.24.7.1)

Handshake works?

Yes, usually

Easy HNS is the resolver?

Yes, usually

DNS goes through VPN?

Usually yes

Main caveat

Strong whole-device fit when Mullvad actually supports external custom DNS for your setup.

Scenario 09

Best if supported

Proton VPN app + Easy HNS custom DNS by IP (51.24.7.1)

Handshake works?

Yes, usually

Easy HNS is the resolver?

Yes, usually

DNS goes through VPN?

Usually yes

Main caveat

One of the cleaner whole-device patterns, but only when Proton's custom DNS feature is available and active.

Scenario 010

Acceptable with verification

NordVPN app + Easy HNS custom DNS by IP (51.24.7.1)

Handshake works?

Often yes

Easy HNS is the resolver?

Maybe

DNS goes through VPN?

Usually yes

Main caveat

Nord uses its own DNS by default. Treat custom DNS as untrusted until you verify that Easy HNS really won.

Scenario 011

Avoid unless deliberate

Split tunnel excludes the browser, app, or resolver traffic from the VPN

Handshake works?

Maybe

Easy HNS is the resolver?

Maybe

DNS goes through VPN?

No or mixed

Main caveat

Handshake may still work, but the traffic path is no longer the clean encrypted tunnel you expected.

Provider Notes

The provider matters, because not every VPN handles custom DNS the same way.

These are the practical patterns to expect from the most common third-party VPN setups people ask about first.

Mullvad

Use 51.24.7.1 only in Mullvad custom DNS fields that accept a raw IP. If you want the simplest one-browser path, use https://dns.easyhns.com/dns-query in browser Secure DNS instead.

Mullvad may not honor external custom DNS in every protocol or mode.
Browser DoH is separate from Mullvad DNS and can make the browser behave differently from the rest of the system.

Proton VPN

If Proton's custom DNS feature is available for your plan and platform, 51.24.7.1 is a strong whole-device Easy HNS route.

Proton features that replace or filter DNS can conflict with custom DNS.
Use the raw IP in Proton custom DNS fields, not the DoH URL.

NordVPN

Nord can work with 51.24.7.1 in custom DNS fields, but you should assume Nord's own DNS still wins until you verify the result.

Nord enables its own DNS by default.
DNS-filtering or protection features can override the custom DNS choice.

Router VPN scenarios

When the VPN runs on the router

Use 51.24.7.1 in normal router DNS fields unless the router explicitly asks for DoH or DoT.
This is a strong whole-network setup only when client devices do not override the router with their own VPN apps or browser DoH.
If one browser still behaves differently, that browser is often using its own Secure DNS provider.

Browser DoH scenarios

When the browser uses its own encrypted DNS

Use https://dns.easyhns.com/dns-query only in Secure DNS or DoH fields that expect a full URL.
Browser DoH usually overrides router and system DNS for that browser.
This is often the cleanest fallback when a VPN app forces provider DNS and you only care about one browser.

Apple / system-wide DNS

When a managed profile or system DNS is meant to cover the whole device

This can work well without a competing VPN DNS policy.
A device VPN app may still replace the DNS path, even while the profile stays installed.
If you need the most predictable fallback on a VPN-heavy device, browser DoH is often easier to reason about.

Common failure modes

Note 01

Handshake works in one browser but not in another. The working browser is often using its own DoH path.

Note 02

Easy HNS works before the VPN connects, then stops. The VPN app likely replaced DNS.

Note 03

Router DNS is set, but one device ignores it. That device or browser likely has its own DNS setting.

Note 04

The setup works functionally, but not through the path you expected. Split tunneling or browser DoH is usually why.

Note 05

The DoH URL was pasted into a field that only accepts a hostname or an IP.

How to verify correctly

Check 01

Pick the layer that should win

Decide first whether you want Easy HNS at the browser layer, VPN-app layer, router layer, or system layer. Mixed intentions create mixed results.

Check 02

Compare browser behavior with system behavior

If Handshake works in one browser but not in terminal tools or other apps, browser DoH is probably overriding the lower DNS layers.

Check 03

Retest once with browser Secure DNS turned off

This is the quickest way to see whether the browser was bypassing router or system DNS.

Check 04

Check split tunneling before blaming Easy HNS

If the browser, app, or resolver traffic is excluded from the tunnel, the VPN path is no longer the one you think you are testing.

Check 05

Verify on the Easy HNS side if you operate the service

The cleanest proof is whether Easy HNS sees the VPN exit IP or your direct ISP IP. That tells you if the resolver traffic really crossed the tunnel.

Advanced checks

Use 51.24.7.1 only in DNS-by-IP fields such as router DNS or VPN app custom DNS.

Use https://dns.easyhns.com/dns-query only in DoH or Secure DNS fields.

Use dns.easyhns.com only in DoT or Private DNS hostname fields.

dig @51.24.7.1 <handshake-name> +short

scutil --dns

resolvectl status

Get-DnsClientServerAddress

Recommended Setup Recipes

Pick the route that matches the level you actually want to control.

The cleanest setup is usually the one with the fewest overlapping DNS layers.

Best whole-device route

Run a full-tunnel VPN and set custom DNS by IP to 51.24.7.1 inside the VPN app when that feature is clearly supported.

Turn browser Secure DNS off unless you deliberately want browser-only DoH.
Verify that the VPN app really honors the custom DNS field.
Treat this as the cleanest whole-device Easy HNS setup.

Best one-browser route

Keep the VPN on, then set Secure DNS or DoH in that browser to https://dns.easyhns.com/dns-query.

This keeps that browser on Easy HNS even if the VPN app forces provider DNS elsewhere.
The rest of the device may still use the VPN provider's DNS.
Good when you want the simplest encrypted Handshake path inside one browser.

Best router VPN route

If the VPN runs on the router, use 51.24.7.1 in router DNS fields and keep browser DoH off unless it also points to Easy HNS.

Good for whole-home coverage.
Client-level browser DoH can still bypass the router.
Best when the devices on the network stay simple.

Best Apple fallback on a VPN-heavy device

Use the Apple profile when the device does not have a VPN app that replaces DNS. If the VPN keeps winning, fall back to browser DoH for the browsers that matter most.

This avoids guessing whether the profile or the VPN app is winning.
It is less elegant than true whole-device DNS, but easier to verify.
Final recommendation

For privacy-focused users, simple beats layered guesswork.

If you want Easy HNS as the actual resolver for the whole device, the best route is a full-tunnel VPN plus custom DNS by IP set to 51.24.7.1, but only when the VPN provider clearly supports third-party DNS and really honors it.
If you want the cleanest encrypted path to Easy HNS itself, use https://dns.easyhns.com/dns-query in browser Secure DNS inside the VPN tunnel. That is browser-only, but it is often the easiest path to verify.
Avoid stacking router DNS, Apple managed DNS, VPN-app DNS, and browser DoH at the same time unless you are deliberately testing precedence.
Related Guides

Need the matching Easy HNS setup page too?

Setup hubFAQ

Setup guide

Routers

Most routers can use Easy HNS network-wide with plain DNS IPs; advanced platforms can sometimes use encrypted DNS too.

Protocol

Plain DNS by default, DoT or DoH where supported

Scope

Network-wide

Time

5 to 10 minutes

Open guide>

Setup guide

Chrome

Use Chrome Secure DNS and point it at the Easy HNS DoH URL.

Protocol

DoH

Scope

Browser-only

Time

1 minute

Open guide>

Setup guide

Advanced

Exact Easy HNS endpoints for manual clients, custom templates, scripts, and infrastructure tooling.

Protocol

DoH, DoT, plain DNS

Scope

Varies

Time

Depends on platform

Open guide>