VpnService: Inconsistent handling of DNS servers when migrating from one TUN device to another [116257079]

Fixed

Bug

[AOSP] assigned

Status Update

No update yet.

Description

to...@strongswan.org

created issue #1

Sep 21, 2018 02:24PM

We've noticed some inconsistent behavior regarding DNS servers when migrating from one TUN device created with VpnService.Builder to another.

As documented (

https://developer.android.com/reference/android/net/VpnService.Builder#addDnsServer(java.net.InetAddress)), if no DNS server is configured the default network's DNS servers should get used. However, when switching from a device without DNS server to one that has servers set and vice-versa there are two issues:

1. If the first VpnService.Builder had no DNS servers assigned and there is a switch to one with DNS servers, the system continues to use the DNS servers from the default network in addition to the ones assigned from the VPN server, resulting in a DNS leak (i.e. there are DNS queries that don't go to the DNS servers received from the VPN server). Actually, the requests to the non-VPN DNS servers bypass the VPN completely, even if the DNS servers' IP addresses match the routes installed via Builder. However, if the first device has DNS servers assigned (different from the ones assigned later), the system only uses the ones assigned to the second device after the switch, so that works correctly.

2. If the first VpnService.Builder has DNS servers assigned and is followed by one that doesn't, instead of falling back to the DNS servers of the default network, the system actually ends up without any DNS servers (i.e. DNS resolution fails afterwards). That's not the case if the first device already had no DNS servers assigned.

Both these issues have been observed on a Pixel 2 with Android 9 (latest security update). The only other device I had available was a Nexus 6 with Android 7.1.1, where *neither* issue was seen.

Comments

jo...@gmail.com <jo...@gmail.com> #2Sep 22, 2018 02:38AM

It may also be worth improving the documentation around what the expected behavior is when users define private DNS provider hostname (via the Settings) while there's an active VPN connection with custom DNS server added through VpnService.Builder.

There are a couple of scenarios that I would like to get clarifications on:
1. Which DNS server would the system use to resolve private DNS provider hostname? one provided by VpnService.Builder or one that's been provided by the network?
2. Which DNS server would the system use to complete ordinary DNS resolution requests? If private DNS settings override the DNS server configured via VpnService.Builder, will such requests go through VPN?

ma...@google.com <ma...@google.com> #3Sep 24, 2018 11:17AM

Assigned to ma...@google.com.

Can you provide the below requested information to better understand the issue:

Android build
Which Android build are you using? (e.g. KVT49L)

Android bug report
After reproducing the behavior, press the volume up, volume down, and power button simultaneously. This will capture a bug report on your device in the “bug reports” directory.
Alternate method:
After reproducing the behavior, navigate to developer settings, ensure ‘USB debugging’ is enabled, then enable ‘Bug report shortcut’. To take bug report, hold the power button and select the ‘Take bug report’ option.

Note: Please upload the files to google drive and share the folder to android-bugreport@google.com, then share the link here.

to...@strongswan.org <to...@strongswan.org> #4Sep 24, 2018 02:23PM

The build number is PPR2.180905.005

Android bug reports for the two issues can be found here (not sure how clearly separated they are as I did the tests back to back):

https://drive.google.com/drive/folders/1kWaylP2q3npIdQf58SoB5Y7UgR0ELOZC

For

issue 1

the scenario is that the original TUN device has no DNS servers assigned and that the VPN server assigns 1.1.1.1 for the second (I tried with up to four assigned servers, the result doesn't change). The system incorrectly continues to use the LAN's DNS server alongside the one configured on the second VpnService.Builder.

For

issue 2

the scenario is that the original TUN devices has 8.8.8.8 assigned and the VPN server does not assign any for the second. DNS resolution afterwards completely fails, instead of falling back to the LAN's DNS servers.

+1 regarding the documentation for the interaction between Private DNS and DNS servers set via VpnService.Builder.

ma...@google.com <ma...@google.com> #5Sep 25, 2018 04:20AM

We have passed this to the development team and will update this case with more information as it becomes available.

ma...@google.com <ma...@google.com> #6Dec 19, 2018 05:33AM

Marked as fixed.

The development team has fixed the issue that you have reported and it will be available in a future build.

Issue 116257079