Picture: Midjourney
A Mullvad VPN consumer has found that Android gadgets leak DNS queries when switching VPN servers regardless that the “Always-on VPN” function was enabled with the “Block connections without VPN” possibility.
“Always-on VPN” is designed to begin the VPN service when the gadget boots and hold it working whereas the gadget or profile is on.
Enabling the “Block Connections Without VPN” possibility (also called a kill change) ensures that ALL community site visitors and connections move by means of the always-connected VPN tunnel, blocking prying eyes from monitoring the customers’ internet exercise.
Nonetheless, as Mullvad came upon whereas investigating the problem noticed on April 22, an Android bug leaks some DNS data even when these options are enabled on the most recent OS model (Android 14).
This bug happens whereas utilizing apps that make direct calls to the getaddrinfo C perform, which supplies protocol-independent translation from a textual content hostname to an IP handle.
They found that Android leaks DNS site visitors when a VPN is energetic (however no DNS server has been configured) or when a VPN app re-configures the tunnel, crashes, or is compelled to cease.
“We have now not discovered any leaks from apps that solely use Android API:s akin to DnsResolver. The Chrome browser is an instance of an app that may use getaddrinfo instantly,” Mullvad defined.
“The above applies regardless of whether ‘Always-on VPN’ and ‘Block connections without VPN’ is enabled or not, which is not expected OS behavior and should therefore be fixed upstream in the OS.”
Potential mitigations
Mullvad mentioned that the primary DNS leak state of affairs, the place the consumer switches to a different server or adjustments the DNS server, will be mitigated simply by setting a bogus DNS server whereas the VPN app is energetic.
Nonetheless, it has but to discover a repair for the VPN tunnel reconnect DNS question leak, which is legitimate for all different Android VPN apps seeing that they are additionally probably impacted by this subject.
“It should be made clear that these workarounds should not be needed in any VPN app. Nor is it wrong for an app to use getaddrinfo to resolve domain names,” Mullvad defined.
“Instead, these issues should be addressed in the OS in order to protect all Android users regardless of which apps they use.”
In October 2022, Mullvad additionally discovered that Android gadgets had been leaking DNS queries (e.g., IP addresses, DNS lookups, and HTTPS site visitors) each time they related to a WiFi community due to connectivity checks even when “Always-on VPN” was toggled on with “Block connections without VPN” enabled.
DNS site visitors leaks current a big threat to consumer privateness, probably exposing their approximate areas and the web platforms they interact with.
Given the seriousness of this subject, you could wish to cease utilizing Android gadgets for delicate actions or implement further safeguards to mitigate the danger of such leaks till Google resolves the bug and backports the patch to older Android variations.
Â
Replace Might 03, 17:02 EDT: AÂ Google spokesperson despatched the next assertion:Â “Android security and privacy is a top priority. We’re aware of this report and are looking into its findings.”
