IssueTracker

Hello,

We’re from Mullvad VPN and after a recent user report about DNS traffic leaking in specific circumstances we immediately started investigating the issue. We were able to confirm that Android leaks DNS requests outside the VPN tunnel and that the leaks weren’t limited to the specific case raised by the user. We’ve done multiple tests over the last few days but all the details surrounding under which conditions the leak happens is yet not clear, what is clear though is that Android do leak DNS traffic outside the VPN tunnel in certain conditions.

From our testing we see that when no internet connectivity is given through the VPN tunnel, some API’s allows DNS requests to be sent out directly on the network, regardless if lockdown mode is enabled or not. The original issue was discovered using Chrome. While a working VPN connection is up, all data seemingly is sent through the tunnel.

The easiest way of reproducing the issue is with Chrome and a dummy WireGuard blackhole VPN setup (it is reproducible with other VPN apps as well):

• Download and install Chrome and Wireguard
• Setup DNS spamming
  • Download the attached file spam_get_requests.html; This file has embedded javascript to launch GET requests every 30 ms after you press “Start”. These requests will cause dummy DNS requests against a test tld (.test).
  • Open the file in Chrome
• Setup WireGuard
  • Download the attached file wg.conf
  • Import the config by pressing '+' in the Wireguard app
  • Press the toggle to active VPN and approve the permission request
• Go into system settings and enable "Always-on VPN" & "Block connections without VPN" (Lockdown mode) for Wireguard.
• On router use tcpdump or Wireshark to debug the network traffic.
  • tcpdump -i <INTERFACE> udp and host <IP> and port 53
• Open Chrome press "Start" and see DNS request leak

We hope you prioritize the importance of this security flaw and we’ll continue sharing updates on our investigation in this ticket.