Picture: Midjourney
A Mullvad VPN person has found that Android units leak DNS queries when switching VPN servers despite the fact that the “All the time-on VPN” characteristic was enabled with the “Block connections with out VPN” possibility.
“All the time-on VPN” is designed to begin the VPN service when the system boots and hold it operating whereas the system or profile is on.
Enabling the “Block Connections With out VPN” possibility (also called a kill change) ensures that ALL community site visitors and connections move by means of the always-connected VPN tunnel, blocking prying eyes from monitoring the customers’ net exercise.
Nonetheless, as Mullvad came upon whereas investigating the problem noticed on April 22, an Android bug leaks some DNS data even when these options are enabled on the most recent OS model (Android 14).
This bug happens whereas utilizing apps that make direct calls to the getaddrinfo C operate, which supplies protocol-independent translation from a textual content hostname to an IP deal with.
They found that Android leaks DNS site visitors when a VPN is lively (however no DNS server has been configured) or when a VPN app re-configures the tunnel, crashes, or is pressured to cease.
“We now have not discovered any leaks from apps that solely use Android API:s akin to DnsResolver. The Chrome browser is an instance of an app that may use getaddrinfo immediately,” Mullvad defined.
“The above applies no matter whether or not ‘All the time-on VPN’ and ‘Block connections with out VPN’ is enabled or not, which isn’t anticipated OS habits and may due to this fact be mounted upstream within the OS.”
Potential mitigations
Mullvad mentioned that the primary DNS leak state of affairs, the place the person switches to a different server or modifications the DNS server, will be mitigated simply by setting a bogus DNS server whereas the VPN app is lively.
Nonetheless, it has but to discover a repair for the VPN tunnel reconnect DNS question leak, which is legitimate for all different Android VPN apps seeing that they are additionally probably impacted by this concern.
“It must be made clear that these workarounds shouldn’t be wanted in any VPN app. Neither is it fallacious for an app to make use of getaddrinfo to resolve domains,” Mullvad defined.
“As a substitute, these points must be addressed within the OS with a purpose to shield all Android customers no matter which apps they use.”
In October 2022, Mullvad additionally discovered that Android units had been leaking DNS queries (e.g., IP addresses, DNS lookups, and HTTPS site visitors) each time they related to a WiFi community due to connectivity checks even when “All the time-on VPN” was toggled on with “Block connections with out VPN” enabled.
DNS site visitors leaks current a big danger to person privateness, doubtlessly exposing their approximate areas and the web platforms they interact with.
Given the seriousness of this concern, you could need to cease utilizing Android units for delicate actions or implement extra safeguards to mitigate the danger of such leaks till Google resolves the bug and backports the patch to older Android variations.
Replace Could 03, 17:02 EDT: A Google spokesperson despatched the next assertion: “Android safety and privateness is a prime precedence. We’re conscious of this report and are trying into its findings.”