Using Microsoft Defender VPN Still Allows Me to Set DNS Server at the Router?

This is a really interesting question.  When a VPN connection is opened on a user device,there appear to be two possible behaviors:

• Every data packet is sent through the tunnel, no matter what the target IP address, or
• Data packets not addressed to the local IP subnet (LAN) are sent through the tunnel, and packets intended for the LAN are sent through the regular network adapter to the LAN.

When Windows Defender VPN is enabled, how will it function?

How about a couple of experiments:

1. Open the Orbi web interface http://orbilogin.net using Safari.  The Orbi DNS mechanism intercepts this DNS request and returns the IP address of the Orbi router.  Normal DNS services, such as CloudFlare have no means of identifying "where is orbilogin.net?" and will return an error.
2. If CloudFlare is being used to block some URLs as a form of Parental Control, attempt to open one of those URLs.  If it opens, then the DNS request did not go through the Orbi DNS mechanism

Would love to hear what happens.

Well, considering the design goals for Microsoft Defender for Endpoint and your privacy on Android and iOS mobile devices it's unlikely the DNS queries from these device endpoints will never reach the Orbi DNS server configured ever. 

Thanks for finding that link. So, Microsoft Defender for Endpoint is not a VPN in the traditional sense:

Conveniently left out of the article is how URLs are resolved into IP addresses.  After Defender has determined that the proposed connection is not a threat, apparently the connection proceeds normally.  Perhaps a DNS request is made as usual, in which case it would go to whatever DNS server is defined in the device wireless configuration.  Orbi DHCP specifies the Orbi router as the DNS server.  On computers, it is not difficult to configure actual DNS servers in the wireless settings instead of using the server specified by DHCP.  (Not clear to me whether iPhones have the same capability.)

I'd love to see happens on this iPhone using Microsoft Defender for Endpoint.  Not certain how to explain if a specific URL is blocked. (a) did Defender block it? or, (b) did CloudFlare block it?

@CrimpOnI tried those two experiments. 

In Safari on the iPhone I entered http://orbilogin.net both with the MS Defender VPN turned on and then with it turned off.  In both cases, I was using WiFi going through my Orbi with the DNS set to Cloudflare's kid friendly 1.1.1.3.  In both cases I was able to get to the Orbi's login.

Then, with both MS Defender's VPN turned on and then with it turned off, I attempted to go to a non-PG website with Safari.  In both cases, the site would not load.  Just as a control, I turned off the WiFi and successfully got the same non-PG website to load on my iPhone.

Lastly, I went into Orbi's settings and set the DNS to be whatever my ISP uses, which has no restrictions.  Then using Safari with Defender's VPN I again attempt to access the non-PG website and it did in fact work.

So it looks like MS Defender is still letting all the traffic go through whatever DNS is specified in Orbi's settings.  If Orbi is set to use Cloudflare's 1.1.1.3, then the non-PG site does not work with Defender's VPN enabled.  If Orbi is set to use the ISP's DNS, then the non-PG site does work, even with Defender's VPN enabled. 

If Defender's VPN had its own DNS, then I would have expected:

1. I would not have been able to get to my Orbi's settings by typing orbilogin.net into Safari with Defender's VPN enabled

2. Cloudflare would not have blocked the non-PG site when Defender's VPN was enabled (I confirmed Defender was not also set to block the same website by leaving Defender's VPN enabled while changing Orbi's settings to use my ISP's DNS)

I see some articles here and there referring to Defender's VPN as looping  and its not being a true VPN.  So really, it sounds like the Defender app on my iPhone is just using an iPhone functionality to force all internet traffic through Defender, but Defender's VPN provides no encryption to any data leaving the phone.  Isn't encryption of data from device to DNS a key benefit of a VPN? 

I do see Defender has an additional option, beyond the "VPN", called "Privacy Protection".  And that has a data limit and this article seems to be saying the privacy connection encrypts data.  https://support.microsoft.com/en-au/topic/microsoft-defender-privacy-protection-faq-65b514b4-be3f-49...  I'll try going to the non-PG site sometime today with that turned on, and I'll see what happens.  If MS is going to encrypt the data, this sounds more like an actual VPN and I assume it will bypass the Cloudflare DNS I've specified in Orbi.

Have spotted this "fine print" note on the referred page above?

"Privacy Protection is currently available in the US only and only currently supported on Defender for Android."  

@SparkyNuts Thanks for taking the time to run the tests. Very clear now that in the context of Microsoft Endpoint Defender, "VPN" refers only to the mechanism they have chosen to be able to examine every data packet on the way into and out of the device.  Would be fascinating (from an intellectual curiosity viewpoint) to know what Microsoft is doing internally.  I would expect to see a connection opened to cloud servers somewhere.  When testing anti-virus software, researchers load up computers with known viruses and then count how many the various anti-virus packages detect.  I suppose it would be possible to run a script attempting to connect to known phishing sites and verify that they are all blocked.

The emphasis on Organization might lead one to infer that a major intent is to protect organizations from penetration attempts, such as those that have embarrassed so many in recent years where employees fall for phishing attempts and reveal sensitive information.

From what little is known at this point, it would not appear to be harmful to run Defender.