It keeps Mullvad from intercepting DNS traffic: if you send cleartext DNS requests on UDP/53 through their network, they intercept it. But DNSCrypt packets are encrypted and authenticated, so they can't.
Bonus: DNSCrypt is still packet-based like UDP, so none of the downsides of DoH: no 3-way handshake, no connection pooling, no stream correlation attacks.
> It's worth noting that all our VPN servers hijack calls to our public DNS server and that the DNS requests are processed on a local non-logging DNS server installed on that VPN server.
It keeps Mullvad from intercepting DNS traffic: if you send cleartext DNS requests on UDP/53 through their network, they intercept it. But DNSCrypt packets are encrypted and authenticated, so they can't.
Bonus: DNSCrypt is still packet-based like UDP, so none of the downsides of DoH: no 3-way handshake, no connection pooling, no stream correlation attacks.
> It's worth noting that all our VPN servers hijack calls to our public DNS server and that the DNS requests are processed on a local non-logging DNS server installed on that VPN server.
https://mullvad.net/en/help/all-about-dns-servers-and-privac...
https://old.reddit.com/r/mullvadvpn/comments/invjgp/how_and_...