DNS traffic can leak outside the VPN tunnel on Android

835 点作者 ementally大约 1 年前

33 条评论

I don't use Mullvad, but I respect the shit out of them. This is a good, information dense explanation of the problem, their short term workaround and potential workarounds for others, as well as what will need to be fixed in Android. Good stuff.

评论 #40248095 未加载

评论 #40253896 未加载

评论 #40250707 未加载

评论 #40262296 未加载

评论 #40251281 未加载

评论 #40250213 未加载

评论 #40251214 未加载

ignoramous大约 1 年前

rethinkdns dev here> these issues should be addressed in the OS in order to protect all Android users regardless of which apps they use.Android's paranoid networking has always had an exception for System and OEM apps (which include Google apps). Most such bugs fixes are unlikely to fix that core assumption. Some code refs: <a href="https://github.com/celzero/rethink-app/issues/224">https://github.com/celzero/rethink-app/issues/224</a>> The leak during tunnel reconnects is harder for us to mitigate in our app. We are still looking for solutions.Android supports seamless handover between two TUN devices (on reconfiguration). It is tricky to get it right, but implementable.

评论 #40248270 未加载

评论 #40248878 未加载

bastard_op大约 1 年前

This has been a long-standing issue with android, that no matter how much you want it to use internal dns servers only, it'll decide to flip to cell and use those as it needs/wants. I've observed adb debugs for times recently to see why/when wireless was disconnecting, and it comes down to liveliness checks that if it can't see or resolve something, it'll simply bring up and try the cell data to do so.It's especially frustrating when using internal dns records that only live internal will randomly not work on a phone. I can see that the device is on wifi that is feeding internal dns servers with the records, but it's resolving externally still for some android reason. This happens on my SO's phone when using things all the time, but I really don't use my phone in the house except to read books and rarely notice.No idea how apple is about this, but the fact they try to proxy everything you do via their "privacy" vpn by default including dns as DOH, I can't imagine it is any better trying to use what they'd see as a competing product, and we know how apple feels about those.

评论 #40249504 未加载

评论 #40250253 未加载

评论 #40250023 未加载

评论 #40248169 未加载

评论 #40254748 未加载

评论 #40262253 未加载

bobbob1921大约 1 年前

A few years ago, when I was testing various VPN set ups for a project, one thing I would do is have a MikroTik firewall device (hardware) sit between my computer and my main router, it’s only purpose would be to block any traffic, not dst for the IP address of the VPN server that the pc was connecting to.This worked great to ensure that no traffic was leaked from pc to vpn server. The IP address of the VPN server you’re making use of rarely changes or if it does it’s easy enough to change on the MikroTik firewall.Another method is to block all traffic not to the port/protocol pair being used by the VPN server if you don’t know the servers IP address (or if it changes). As an example drop any traffic not dst UDP 1194 (based on the type of VPN, of course). MikroTik routers also have a great little tool called torch that allows you to quickly and easily watch traffic (in addition to of course, supporting packet captures. Mikrotik routers are very reasonably priced and range from as low as $30 up to $3000 - all with no software licenses, and they are very powerful and capable if you know what you’re doing.

评论 #40250828 未加载

评论 #40249807 未加载

评论 #40249932 未加载

Asmod4n大约 1 年前

The Problem with Android in regards to DNS: you just can't set your own IPv6 DNS Server on that platform, it gets changed anytime anything happens to your wifi. There is no app, even for rooted android, which can disable the operating system from changing it.When you are stuck with a router that always hands out IPv6 Adresses and doesn't let you turn that off you are just screwed.I don't even know if you could install a firewall appliance behind that router and strip out the IPv6 DNS Servers it advertises.

评论 #40249962 未加载

评论 #40251299 未加载

评论 #40249487 未加载

tiagod大约 1 年前

I guess the safest setup is to have mobile data off on your phone and carry an OpenWRT hotspot to do the VPN bit upstream from the phone.

评论 #40248008 未加载

评论 #40253792 未加载

评论 #40248832 未加载

评论 #40249356 未加载

exabrial大约 1 年前

Any system where you don't have root access in insecure by it's very definition. Android and ios are hilarious.

评论 #40249119 未加载

评论 #40250010 未加载

评论 #40250160 未加载

评论 #40248077 未加载

评论 #40253778 未加载

评论 #40253737 未加载

评论 #40249342 未加载

评论 #40248555 未加载

评论 #40251145 未加载

marc_ranieri大约 1 年前

Block connections without VPN is turning out to be as reliable as my self-control at an all-you-can-eat buffet…if I'm not mistaken, these DNS leaks can very much expose where you browse and even your location, which kinda defeats the whole purpose of a VPN (and yes, even with VPNs, Android might still leak your DNS info. If you're really privacy-conscious, you might need to look beyond just using Android or keep your sensitive stuff off your phone)

Remzi1993大约 1 年前

Sometimes you wonder if those "bugs" are intentionally well placed or not. Especially since big tech has been known that they work together with a kinds of intelligence agencies. I just can't believe that so many bugs like this in Android are there "not intentionally" at this point since this is not the first time I have heard about these kinds of bugs in Android.

评论 #40253794 未加载

kop316大约 1 年前

I've sort of suspected this the case for a while. On VPN, MMS and Visual Voicemail still work on Android. Both of these require direct mobile access or they will get rejected (sometimes they are only on the mobile network, or else they requests get rejected if they don't come from within the mobile network). I suspect the same is true of VoLTE. If there is a VPN, that would mess things up.I found this out since on Mobile Linux, if you enable VPN, the VPN breaks all of those.I don't think there is a clear way to fix this on Android without breaking a lot of expected functionalty.

评论 #40248831 未加载

评论 #40250356 未加载

mise_en_place大约 1 年前

Luckily WireGuard doesn't have this issue on desktop peers. Although I did run into DNS leaking due to my peer config having an exception for my local network address range. The way I resolved that is to setup dnsmasq on the server and set that as my primary DNS.I will say that I wish there was a DisallowedIPs directive. It's fun having to subtract a /24 from 0.0.0.0/0, although there are calculators you can use.

评论 #40249386 未加载

评论 #40248888 未加载

ar-jan大约 1 年前

I think this finding originates with the GrapheneOS community [0]. Edit: I guess that may be the same user reporting both.0: <a href="https://twitter.com/GrapheneOS/status/1782477984156311814" rel="nofollow">https://twitter.com/GrapheneOS/status/1782477984156311814</a>

评论 #40252719 未加载

badrabbit大约 1 年前

I gave on trusting phones to secure data a long time ago. But my approach is, at least when on wifi, to allow access to the internet only if the device connects to a local vpn gateway. 100% leak proof and prevents almost all wifi/lan/mitm attacks.

评论 #40249399 未加载

ranger_danger大约 1 年前

I have also noticed that when using the FoxyProxy addon under Firefox, even with a SOCKS5 proxy in use, it will leak DNS requests through the direct connection unless you also set a manual proxy in the regular Firefox settings as well.

评论 #40250199 未加载

lloydatkinson大约 1 年前

> Depending on your threat model this might mean that you should avoid using Android altogether for anything sensitiveI once worked with someone who worked with someone that had previously been a major Android fanboy, but after doing some work that required a security clearance, they became an iPhone user and insisted their family get iPhones too.

评论 #40249412 未加载

评论 #40252559 未加载

robertritz大约 1 年前

I noticed this with my Android TV. Sometimes my location would leak and certain streaming sites stopped working (I'm outside the US).Got an AppleTV and this issue stopped.

评论 #40250194 未加载

gregoryl大约 1 年前

That's unfortunate, they only recently rolled out prompts to push Android users away from their in-app always-on functionality to the built in version.

taxesTaxi大约 1 年前

So, a closed source operating system can do things the user can't control? I don't know what's more impressive, the fact people don't apprehend this reality, or the fact people still rely on VPNs (especially a third party) for privacy or whatever.

moose44大约 1 年前

Apologies if this is a dumb question—could a service like NextDNS help prevent this?

评论 #40248401 未加载

sneak大约 1 年前

APNS traffic leaks outside of the VPN on iOS as well (except possibly OS-supported VPNs installed with a provisioning profile).Apple doesn’t seem to care, as they don’t care about preserving your privacy wrt themselves.

beefnugs大约 1 年前

If google wasn't evil: then the default for all permissions would be to mock fake data that the app could never recognize as fake. Then you pick and choose which apps get REAL data.

the8472大约 1 年前

Linux has network namespaces, which can be used to isolate programs so they don't see any external networking when no VPN is available. Does android not use this for its VPN feature?

评论 #40248588 未加载

wolverine876大约 1 年前

Mullvad's security team should have found this problem on their own, and as soon as it appeared:Inspect security empirically - you might think that your security must work, but that means nothing; you must investigate empirically: All data going to the Internet must pass through the gateway. Collect the packets on the gateway, not on the device, and inspect them for leaks. Finding leaks should be trivial at that point.The only trick might be cellular connections: We don't know that leaks aren't unique to cellular connections. I know cellular gateways can be setup, but are the packets inspectable at a level that will reveal leaks?

jerry1979大约 1 年前

This can also be detected by using the NetGuard firewall which acts as a vpn. Even in full lockdown mode, some kinds of newwork traffic gets through.

评论 #40252866 未加载

rkagerer大约 1 年前

We have reported the issues and suggested improvements to GoogleIsn't Android open source? Can they not fix it for them and submit a PR?

评论 #40248999 未加载

评论 #40250417 未加载

throwaway2037大约 1 年前

I don't VPNs, nor Mullvad, but I do appreciate the transparency here. We need to support more companies like this.

spxneo大约 1 年前

toy with me for a bit, couldn't Mullvad be another "Encrochat" in the making?Encrochat was similarly marketed as absolutely trustable complete with experts covering "we fixed this vulnerability/exploit and you can trust us" vibes (<a href="https://www.manchestereveningnews.co.uk/news/uk-news/dads-secret-criminal-life-unmasked-29089865" rel="nofollow">https://www.manchestereveningnews.co.uk/news/uk-news/dads-se...</a>)Isn't Mullvad the same thing?Do you really think they would allow terrorists like Hamas use Mullvad to coordinate attacks? Coincidentally, Hamas does not trust any sort of VPN, opting for underground land lines.

评论 #40252035 未加载

评论 #40251273 未加载

aftbit大约 1 年前

Also apparently tethering traffic doesn't go via the VPN? That's a silly choice too.

评论 #40250045 未加载

seany大约 1 年前

I really _really_ want to love mullvad, but they still don't ignore DMCA requests.

评论 #40257603 未加载

Rastonbury大约 1 年前

What if I have private dns set up on my phone?

haisin1982大约 1 年前

I like Mullvad. Just wish they used less shitty providers - all of them are super dodgy from xtom (super unhinged owner) to m247. Mullvad presents a great image but their providers would probably sell netflow traffic for $7 a month to any interested party. They really do use the scum of the earth providers instead of investing in their own infra

mik09大约 1 年前

used an exploit to get vpn working on router...

kerhackernews大约 1 年前

Can't you just use a DNS provider that encrypts the traffic?