- Mullvad VPN’s blog post: DNS traffic can leak outside the VPN tunnel on Android
Identified scenarios where the Android OS can leak DNS traffic:
- If a VPN is active without any DNS server configured.
- For a short period of time while a VPN app is re-configuring the tunnel or is being force stopped/crashes.
The leaks seem to be limited to direct calls to the C function getaddrinfo.
The above applies regardless of whether Always-on VPN and Block connections without VPN is enabled or not, which is not expected OS behavior and should therefore be fixed upstream in the OS.
We’ve been able to confirm that these leaks occur in multiple versions of Android, including the latest version (Android 14).
We have reported the issues and suggested improvements to Google and hope that they will address this quickly.
- GrapheneOS 2024050900 release changelog announcement:
prevent app-based VPN implementations from leaking DNS requests when the VPN is down/connecting (this is a preliminary defense against this issue and more research is required, along with apps preventing the leaks on their end or they’ll still have leaks outside of GrapheneOS)