Image: Midjourney
A Mullvad VPN user has discovered that Android devices leak DNS queries when switching VPN servers even though the "Always-on VPN" feature was enabled with the "Block connections without VPN" option.
"Always-on VPN" is designed to start the VPN service when the device boots and keep it running while the device or profile is on.
Enabling the "Block Connections Without VPN" option (also known as a kill switch) ensures that ALL network traffic and connections pass through the always-connected VPN tunnel, blocking prying eyes from monitoring the users' web activity.
However, as Mullvad found out while investigating the issue spotted on April 22, an Android bug leaks some DNS information even when these features are enabled on the latest OS version (Android 14).
This bug occurs while using apps that make direct calls to the getaddrinfo C function, which provides protocol-independent translation from a text hostname to an IP address.
They discovered that Android leaks DNS traffic when a VPN is active (but no DNS server has been configured) or when a VPN app re-configures the tunnel, crashes, or is forced to stop.
"We have not found any leaks from apps that only use Android API:s such as DnsResolver. The Chrome browser is an example of an app that can use getaddrinfo directly," Mullvad explained.
"The above applies regardless of whether 'Always-on VPN' and 'Block connections without VPN' is enabled or not, which is not expected OS behavior and should therefore be fixed upstream in the OS."
Potential mitigations
Mullvad said that the first DNS leak scenario, where the user switches to another server or changes the DNS server, can be mitigated easily by setting a bogus DNS server while the VPN app is active.
However, it has yet to find a fix for the VPN tunnel reconnect DNS query leak, which is valid for all other Android VPN apps seeing that they're also likely impacted by this issue.
"It should be made clear that these workarounds should not be needed in any VPN app. Nor is it wrong for an app to use getaddrinfo to resolve domain names," Mullvad explained.
"Instead, these issues should be addressed in the OS in order to protect all Android users regardless of which apps they use."
In October 2022, Mullvad also found that Android devices were leaking DNS queries (e.g., IP addresses, DNS lookups, and HTTPS traffic) every time they connected to a WiFi network because of connectivity checks even if "Always-on VPN" was toggled on with "Block connections without VPN" enabled.
DNS traffic leaks present a significant risk to user privacy, potentially exposing their approximate locations and the online platforms they engage with.
Given the seriousness of this issue, you may want to stop using Android devices for sensitive activities or implement additional safeguards to mitigate the risk of such leaks until Google resolves the bug and backports the patch to older Android versions.
Update May 03, 17:02 EDT: A Google spokesperson sent the following statement: "Android security and privacy is a top priority. We're aware of this report and are looking into its findings."
Comments
FilledWithHate - 1 month ago
Well, if the device isn't connected to a VPN and you're asking it to connect to one via host name, how is it going to do that without making a DNS request? Anyone know? Anyone? Bueller?
h_b_s - 1 month ago
Any request should automatically fail in the circumstances where the user has the device set to always use a VPN but no VPN tunnel is active. It doesn't. That's considered a bug.
Your question is nonsensical otherwise. You should probably go read up how networking functions, because your question displays an ignorance in even knowing how to frame the correct question.
IAmJeeves - 1 month ago
We have seen reports like this before and it turned out to be issues with a specific VPN application and not a flaw in the core Android OS. I don't see any mention of verification with other Andorid VPN applications here.
mayormaynotbeano - 1 month ago
It doesn't really matter which one you choose. Like Mullvad, a lot of VPN providers are based on wire guard/openvpn. The problem is in the getaddrinfo function, not the VPN.