search

firezone / firezone

WireGuard®-based zero-trust access platform with OIDC auth, identity sync, and NAT traversal.
https://www.firezone.dev
Apache License 2.0
6.46k stars 271 forks source link

Some apps on Android don't use Connlib DNS sentinels #4834

Open jamilbk opened 2 months ago

jamilbk commented 2 months ago

It looks like some apps on Android are not using the DNS sentinel set by connlib in the BuildVPNService function, and are instead using the DNS servers from the WiFi interface instead.

Apps that work fine:

Apps that don't:

Some things to note:

jamilbk commented 2 months ago

They seem to be using the DNS servers from the WiFi interface

ReactorScram commented 2 months ago

Same as this? https://news.ycombinator.com/item?id=40247604

https://mullvad.net/en/blog/dns-traffic-can-leak-outside-the-vpn-tunnel-on-android

We were recently made aware of multiple potential DNS leaks on Android. They stem from bugs in Android itself, and only affect certain apps.

jamilbk commented 2 months ago

Yeah I saw that. I don't think it's the same issue, but need to triage further.

One thing of note is that the offending apps are installed directly via APK. Not sure if that's a clue.

jamilbk commented 1 month ago

Able to reproduce using the following steps:

jamilbk commented 1 month ago

The problem with AndroDNS is they have their DNS server detection code which doesn't correctly use the servers set by our VPN service:

https://github.com/gryphius/androdns/blob/master/app/src/main/java/androdns/android/leetdreams/ch/androdns/DnsServersDetector.java#L156

jamilbk commented 1 month ago

Another issue is that when "Block connections that don't go through the VPN" is enabled, Android stops using the VPN DNS servers for lookups and instead uses the servers from the default network interface instead.

jamilbk commented 1 month ago

From note sent to customer:

Some updates on the ODK-collect issue. I was able to reproduce the issue using their demo server locally. It happens with "Block connections that don't go through the VPN" is enabled. Unfortunately, when that's enabled, Android ruins all our fun: it stops using the DnsServers added by Firezone (or any VPN service for that matter) for lookups, and uses the ones from the default interface (WiFi) instead. To top it all off, Android's system settings doesn't even allow completely setting manual DNS servers (Android 14) -- you can choose to set a static IP address, but even if you do that, you can only override the IPv4 settings (and IPv4 DNS servers). IPv6 address, routes, and IPv6 DNS servers set by DHCP will still apply.

jamilbk commented 1 month ago

Should be resolved by #2667

jamilbk commented 3 days ago

I can confirm that Android (i.e. Chrome) does cache DNS responses and Android provides no programmatic way to clear this. So if a name was resolved, then added as a Resource, then resolved again within a short time period, the system's stub resolver will return the cached IP.

There's not much we can do about this, but it's probably a good idea to call this out in the docs.

ReactorScram commented 2 days ago

If we translated addresses from some FZ-controlled domain to real ones, e.g. https://ifconfig.net.dns.firezone to https://ifconfig.net then the caching would behave correctly... But TLS wouldn't work, and it wouldn't quite be zero-trust if we have to make customers install a root cert