Open jamilbk opened 2 months ago
They seem to be using the DNS servers from the WiFi interface
Same as this? https://news.ycombinator.com/item?id=40247604
https://mullvad.net/en/blog/dns-traffic-can-leak-outside-the-vpn-tunnel-on-android
We were recently made aware of multiple potential DNS leaks on Android. They stem from bugs in Android itself, and only affect certain apps.
Yeah I saw that. I don't think it's the same issue, but need to triage further.
One thing of note is that the offending apps are installed directly via APK. Not sure if that's a clue.
Able to reproduce using the following steps:
The problem with AndroDNS is they have their DNS server detection code which doesn't correctly use the servers set by our VPN service:
Another issue is that when "Block connections that don't go through the VPN" is enabled, Android stops using the VPN DNS servers for lookups and instead uses the servers from the default network interface instead.
From note sent to customer:
Some updates on the ODK-collect issue. I was able to reproduce the issue using their demo server locally. It happens with "Block connections that don't go through the VPN" is enabled. Unfortunately, when that's enabled, Android ruins all our fun: it stops using the DnsServers added by Firezone (or any VPN service for that matter) for lookups, and uses the ones from the default interface (WiFi) instead. To top it all off, Android's system settings doesn't even allow completely setting manual DNS servers (Android 14) -- you can choose to set a static IP address, but even if you do that, you can only override the IPv4 settings (and IPv4 DNS servers). IPv6 address, routes, and IPv6 DNS servers set by DHCP will still apply.
Should be resolved by #2667
I can confirm that Android (i.e. Chrome) does cache DNS responses and Android provides no programmatic way to clear this. So if a name was resolved, then added as a Resource, then resolved again within a short time period, the system's stub resolver will return the cached IP.
There's not much we can do about this, but it's probably a good idea to call this out in the docs.
If we translated addresses from some FZ-controlled domain to real ones, e.g. https://ifconfig.net.dns.firezone
to https://ifconfig.net
then the caching would behave correctly... But TLS wouldn't work, and it wouldn't quite be zero-trust if we have to make customers install a root cert
It looks like some apps on Android are not using the DNS sentinel set by connlib in the
BuildVPNService
function, and are instead using the DNS servers from the WiFi interface instead.Apps that work fine:
Apps that don't:
100.100.111.1
Sentinel100.100.111.1
Sentinel eitherSome things to note: