1y ago

DNS traffic can leak outside the VPN tunnel on Android

mullvad.net

Privacy Guides @lemmy.one

Nemeski @lemm.ee

1y ago

DNS traffic can leak outside the VPN tunnel on Android

mullvad.net /en/blog/2024/5/3/dns-traffic-can-leak-outside-the-vpn-tunnel-on-android

81 comments

"The report detailed how the user managed to leak DNS queries when disabling and enabling VPN while having “Block connections without VPN” on."
Not to diminish the severity of the issue but I can't imagine this being the factor that pushes the average person to ios over android.
- Uhhhh, source? Those are pretty bold claims to just casually toss out
- I'm not sure of anyone who switches from iOS. Once you are in the ecosystem they won't let you leave.
  
  Why is this stupidity repeated ad nauseum? I've successfully switched from iOS to Android and back to iOS again without any hindrance.
  It's not any different from switching from windows to Linux.
Mullvad is awesome. i think this is the second android bug/incident they brought to light?
Anyway, really really hope this gets fixed upstream, maybe by Graphene
How much you wanna bet this was intentional by Google? 😏
- They didn't bring it to light, it was a user report posted on reddit. They merely investigated it further. Nothing against mullvad, it's a great vpn, but credit where credit is due.
- If you do this, you'll be using the DNS you assign instead of using the VPN's DNS, as intended. That will make you stand out from the rest of the same VPN users, effectively affecting privacy.
- One DoT provider you could choose is... Mullvad: https://mullvad.net/en/help/dns-over-https-and-dns-over-tls
- mine gives me three choices. Off, Automatic, and Private DNS (type in your own). should i set mine to off then? will that prevent the leak?
What I don't understand though, doesn't using mullvad automatically set their own DNS?
- On the desktop it does. But on Android things are maybe different ? Not directly related but I remember (long time ago) wanting to tether from an Android phone with Mullvad VPN app in use, to a computer, only to find out that the Android defaults (In Android not in the Mullvad app) needed a button swiped to make it work correctly on the other device.
  
  I thought sharing the VPN was blocked and not possible. Do you remember how you did?
  
  This is not a feature in stock AOSP.
  This is a feature in calyxos, lineageos
- Only if your Android connection is set to automatic DNS. Additionally, they are assuming it is an OS bug. However, they also acknowledge that they had to fix something on their app to mitigate. I tried myself with Wireguard instead, killed the network access to it, and nothing ever left my phone, as Android immediately killed all connections due to the VPN always on feature.
  So, I'm going to take their claim with a grain of salt until AOSP says something about this and denies or confirms the alleged bug.
Just use rethink dns with a wireguard tunnel and block every app except those you trust and need !
- I tried out rethink DNS but I did not manage in any way to just use my VPNs DNS. Would you have a hint how to make it work?
  
  You have to put wireguard in simple mode .
- I think rethink prevents dns leaks .
Any system app on Android, the captive portal login and more CAN all bypass a VPN in "block all other connections" mode.
Android is really problematic and having as little system apps as possible is the only fix.
Imagine using Android at this point
- Imagine making idiotic statements at this point.
  
  Imagine being rude for no reason
- Well, yes, I prefer desktop. But you know, in some countries some people have nothing else than phones. I am glad that Mullvad has posted this and hopefully Google can fix the bugs soon.
  
  Are they interested in fixing it though?
- And use what? iOS?
  
  Well iOS does have its advantages but tbh there are no fully usable alternatives for Android now. Hopefully Linux will get better on phones because I feel like we do need an alternative at this point
- LineageOS with Jerboa over Mullvad VPN here. Not many options on mobile devices.
  
  And Android runs a shit load of portable devices beyond phones.
  Most handheld store scanners are Android based today. Inventory management devices (like warehouses have used since the nineties) used to be Palm-based, are largely Android now, because it's core is Linux. They don't have to run the standard Android shell, they can run their own.
  I've used medical monitors that are Android based.
  
  Lineage OS is so much better than stock Android
  
  Yea unfortunately. Hopefully the enshittification of new versions will speed up the development of alternatives
  EDIT: imagine raiding (now seriously)
- What other alternative is there?
  
  No real alternatives yet unfortunately. Though if you only use a browser, Linux may work
- As opposed to iOS, the beautiful walled of garden of Eden?
- All things I use, besides JavaScript on websites and firmware, is basically open source.
  \ I am lucky to use open protocols for communication only, as when deleting Facebook my friends were willing to use Matrix with me.
  \ I can do many many compromises.
  But still, I have OnePlus 6T with mobile Linux and absolutely cannot switch now. I would love to, but working camera and some alternative to Organic Maps is a must I cannot jump around when Android is "just" fine now.
- Privacy is when you fully isolate yourself from the world.

81 comments