[BUG] Google VPN BREAKING Windows 11 DNS assignment settings.

[Mr-McMuffin]

This VPN BREAKS DNS functionality in windows 11, it locks the system DNS to google DNS servers under the network settings.

1) Settings -> Network & Internet -> Ethernet Leave this open, and set on Automatic DHCP. 2) Connect to Google VPN, it will change your DNS setting to manual google DNS servers. 3) Disconnect, and keep an eye on the settings window we left opened, it will stay stuck to the google DNS settings, not the automatic DHCP, breaking ANY dns functionality of your computer.

Even after a restart, closing the google VPN app, or disconnecting the DNS settings are stuck on a manual assignment. This is unacceptable. In order to use the google one vpn, one needs to manually go into network settings and toggle back on the auto assignment.

This is a serious issue, it happens on all windows 11 computers ive tested. MAJOR ISSUE. Please address when an ETA to fix this will be done.

Why is this a huge issue? If you use TLS or Encrypted DNS the google 8.8.8.8 will break this configuration. I use encrypted dns with ECH, with google none of this is available putting my security at risk when the vpn is off. If you have custom dns for work, firewalls, or family safety/filtering - again the vpn will break it. This was causing a huge headache for me but i discovered the google VPN has a huge bug with not reseting DNS back into the state it was before turning on.

Best solution is to go into network settings on windows 11 and set it back to what you used on the IPV4/V6 previously. Note this doesnt do this on mac, only windows.

[Mr-McMuffin]

@googlebot @smhendrickson

[Mr-McMuffin]

@anefabo

[Mr-McMuffin]

@google-admin @google-ospo-team @googlebot @anefabo @smhendrickson Please let us know when a fix is assigned for this.

[ceedveed]

Confirm same issue. Windows 11 22H2

[beez34]

@joetimmy @ceedveed I honesty don't understand why a VPN client who isn't supposed to be logging anything according to their documentation, has a few functions (AddDnsServersToInterface and AddDnsToAllInterfaces) to purposely alter your DNS to their public use entries - which the public DNS documentation says it's kept for 1-2 days and can still be retrieved from government entities (which infers logging beyond the time stated to correlate your IP and requests to identify you).

The documentation directly contradicts itself and this is unnecessary change to our systems by Google that needs to be reported higher than a bug on github. Google doesn't get to double-dip here and also hijack all of our DNS requests. This is especially annoying since I use DNS over HTTPS from another company so I can use special curated lists to filter/block traffic for all of my devices - which this bypasses until reset. I also assume this "bug" will not be actioned because this is purposely coded to behave this way - the functions are labeled "Add" there is no "remove" or "reset" function I've found. Best case, they remove those two functions entirely.

That said, until this is addressed, I've set a simple PowerShell script that runs this on startup:
Get-DnsClientServerAddress | Set-DnsClientServerAddress -ResetServerAddresses Run it elevated as a delayed scheduled task so that when Windows starts and Google One VPN starts, it has a minute and then runs the command to reset your network IPv4 and IPv6 adapters to default. Because make no mistake, every single interface alias is altered by Google here.

[Validation51]

Hi. Also seeing this with Win 10 Pro 22H2.

[Mr-McMuffin]

google is ignoring this issue and will not address this massive security problem.

@google-admin @google-ospo-team @googlebot @anefabo @smhendrickson

Please address this.

[Mr-McMuffin]

This needs to be escalated, someone please forward this to some google developers who can escalate the problem.

[ryanzimbauer]

I experienced this and found this issue thread. Not sure how to escalate this but sounds like something I'd read on a news article tbh like this seems serious

[MeesJ]

Same story on Windows 10

[ryanl]

Hey folks, thank you for reporting this behaviour.

To protect users privacy, the Google One VPN deliberately sets DNS to use Google's DNS servers. This prevents a nefarious DNS server (that might be set by DHCP) compromising your privacy. Visit https://developers.google.com/speed/public-dns/privacy to learn about the limited logging performed by Google DNS.

We think this is a good default for most users. However, we do recognize that some users might want to have their own DNS, or have the DNS revert when VPN disconnects. We'll consider adding this to a future release of the app.

[ryanzimbauer]

@ryanl Thank you for your response, but the way in which this is done seems contrary to the purported goal of user privacy.

This makes sense to do while Google One is active, but this program has absolutely no business changing all present NICs to a separate DNS on the startup of my computer while the program is not set to "Launch app after computer starts". This recent change interfered with my computer's ability to access a network implementing a private DNS filter. This has broken my trust and I will not be reinstalling this program until this is remedied

[EnormousSnail]

I uninstalled Google VPN, reverted the network adapter to use the router provided DNS server.... it still refused to use anything other than 8.8.8.8. I finally figured out that, despite my network adapter being configured to "Obtain DNS server addresses automatically", I still had to go into advanced settings and remove 8.8.8.8 in the DNS tab and finally restart the network adapter to get my computer to use my local unbound DNS server.

This is unacceptable and has absolutely nothing to do with security and everything to do with data harvesting by Google.

If I uninstall Google VPN, this behavior should be reverted to the behavior prior to installing google VPN. In my opinion, google conveniently leaving 8.8.8.8 behind in a place that would be difficult for the normal user to find puts this firmly into the "malware for the purposes of data harvesting" category.

[Validation51]

I uninstalled Google VPN, reverted the network adapter to use the router provided DNS server.... it still refused to use anything other than 8.8.8.8...

On Win 10 I did a 'Network Reset' and remade my connections and that worked. Looked to me like the Google changes applied to every connection!!

[MarioLiebisch]

We think this is a good default for most users.

I get the idea, but this should be configurable. Also keep in mind this will break local domain names usually resolved by the router, like the router's configuration page.

Silently breaking this will keep less tech savvy users stranded with no more access to their router settings, potentially even making them believe they've been hacked or their hardware is broken.

In addition, this still leaves the possibility of a malicious party rerouting traffic destined for Google DNS, essentially mitigating the whole idea.

[chessmck]

This is crazy for Google to determine who my DNS provider is. I lost all my nextDNS filtering and had to manually recover every NIC connection. Win 10 here. While it may be one thing to switch to Google during the VPN session - making manual DNS settings on my computer is not appreciated.

[samitunisia]

@joetimmy @ceedveed I honesty don't understand why a VPN client who isn't supposed to be logging anything according to their documentation, has a few functions (AddDnsServersToInterface and AddDnsToAllInterfaces) to purposely alter your DNS to their public use entries - which the public DNS documentation says it's kept for 1-2 days and can still be retrieved from government entities (which infers logging beyond the time stated to correlate your IP and requests to identify you).

The documentation directly contradicts itself and this is unnecessary change to our systems by Google that needs to be reported higher than a bug on github. Google doesn't get to double-dip here and also hijack all of our DNS requests. This is especially annoying since I use DNS over HTTPS from another company so I can use special curated lists to filter/block traffic for all of my devices - which this bypasses until reset. I also assume this "bug" will not be actioned because this is purposely coded to behave this way - the functions are labeled "Add" there is no "remove" or "reset" function I've found. Best case, they remove those two functions entirely.

That said, until this is addressed, I've set a simple PowerShell script that runs this on startup: Get-DnsClientServerAddress | Set-DnsClientServerAddress -ResetServerAddresses Run it elevated as a delayed scheduled task so that when Windows starts and Google One VPN starts, it has a minute and then runs the command to reset your network IPv4 and IPv6 adapters to default. Because make no mistake, every single interface alias is altered by Google here.

Hello,

I have to take an online test for a management certification. Onevue the compatibility system of the online test fails every time after several research I understood that it was due to google vpn who changed the dns. Even uninstalling google vpn and manually setting new dns addresses doesn't fix the problem. I've seen that there might be a solution with powershell script and the suggested script. I have to tell you that I am neither a programmer nor an advanced user. Can you explain step by step and in detail how to activate the powershell script and save it as a .ps1 or ps1xml file and what options to activate in the task scheduler so that the task runs at each startup. I'm sorry, but as I said, I'm not a programmer and I don't know anything about powershell scripting or using the task scheduler. I hope this will fix the problem, I've been working on it for 3 weeks and I haven't managed to fix it yet.

[MarioLiebisch]

@samitunisia Double check you've properly edited/reset the DNS for both IPv4 as well as IPv6.

Also you can use the quoted PowerShell "script" on the command line. Just run "PowerShell" (or "Windows PowerShell"; it doesn't matter) and then insert the command as quoted like a regular shell command. No need to create a script here.

[chessmck]

@ryanl

Hey folks, thank you for reporting this behaviour.

To protect users privacy, the Google One VPN deliberately sets DNS to use Google's DNS servers. This prevents a nefarious DNS server (that might be set by DHCP) compromising your privacy. Visit https://developers.google.com/speed/public-dns/privacy to learn about the limited logging performed by Google DNS.

We think this is a good default for most users. However, we do recognize that some users might want to have their own DNS, or have the DNS revert when VPN disconnects. We'll consider adding this to a future release of the app.

Just look how VyprVPN does it. Changes for the session and on exit replaces, as was, before starting the VPN. This way I revert to my local DNS servers and internal work URLs are not broken.

When fixed - Please notify back here in this thread so I'll know I can install Google VPN again.

[tochichiang]

New victim here! My primary dns server is always set to 8.8.8.8 which prevents windows domain functions in my company. Disconnecting vpn, uninstalling, rebooting. DHCP, static ip, none of them works. This is a program WITH MAJOR FLAW.

Have to do direct registry editing to remove 8.8.8.8 and restore Windows domain functions.

[chessmck]

@tochichiang

Have to do direct registry editing to remove 8.8.8.8 and restore Windows domain functions.

You should be able to find in the Network properties and in both the IPv4 and IPv6 advance sections (the DNS tab) where they are listed and remove - maybe easier than editing registry..

[tochichiang]

@tochichiang

Have to do direct registry editing to remove 8.8.8.8 and restore Windows domain functions.

You should be able to find in the Network properties and in both the IPv4 and IPv6 advance sections (the DNS tab) where they are listed and remove - maybe easier than editing registry..

I tried that and it didn't work. Whatever I assign there, 8.8.8.8 is always inserted on top of them.

[Validation51]

I tried that and it didn't work. Whatever I assign there, 8.8.8.8 is always inserted on top of them.

I just went to Network & Internet settings and did a Network reset and then set up the connection(s) again.

[haxorlord]

created an account just to comment. THANK YOU FOR SOLVING THIS. been looking forever for a solution. GOOGLE VPN messed up my PC settings -_-

[jintaoxu1204]

It sucks, still not be solved :( Google please spend your time optimising products instead of advertising!

[dbagley1]

This needs to be a priority. Changing the user's DNS servers without notice and not undoing the change after the VPN is disabled is a major security concern in what is advertised as a security product.

[Mr-McMuffin]

@ryanl do you have an update on this for us, many including myself are waiting for some update on progress with this. The issue has been open since Nov 2023.

[MarioLiebisch]

So I just noticed "VPN by Google One" in my Start Menu as "Recently installed", i.e. updated. I haven't used it for weeks (it doesn't start with Windows).

I check my IPv4 connection settings and it only lists "192.168.2.100" (my Pi-Hole) – great!

But just to be sure I look at the current connection's details and it lists "192.168.2.100, 8.8.8.8" as nameservers… WTF? Had to manually wipe "8.8.8.8" from the Windows registry to make it go away…

And just yesterday I was wondering why I'm suddenly getting YouTube ads on videos embedded in Discord (I am a Premium subscriber, but can't log in within Discord, obviously).

[polarspark]

I understand why with a VPN google would want to make sure you are switching over to DNSSEC especially when you are probably not wanting your local ISP to be the DNS provider which is the easier vector to snoop on your traffic. And anyone on here would likely know how to setup a local DNS provider that would use DNSSec, but your average user isn't going to know how to do that. Also your average user is going to pretty stuck on figuring out how a local network resource might have vanished from their network when they turn their VPN off. Especially if the local DNS is being coordianted through their gateway rather than using a broadcast service. Google do better.

Here is how:

1. By default change the DNS over to the VPN (and you better be using DNSSEC) makes sense for an average user, but give us the ability to override it in the setting if we don't want our DNS changed.
2. You should change it back to the user's previous settings either default or the previous manual settings.

[hsaito]

This DNS reset issue poses significant challenges even for "average" users who might not typically adjust these settings. Specifically, it disrupts the functionality of some captive portals, rendering them unable to load their login pages. This problem was notably encountered with the WiFi at a Hyatt hotel. Despite my decent proficiency, it took me a considerable amount of time to identify the source of the issue. Users lacking knowledge of network settings will find themselves at a loss, unsure of how to proceed. Moreover, the likelihood that technical support, if available, could diagnose such issues remotely is slim. Consequently, this issue could significantly undermine the value of the Google One VPN, especially for those with less technical expertise.

[EnormousSnail]

I think its safe to assume at this point that google does.not.care.at.all. The amount of complaints here pales in comparison to the amount of money they are making by changing DNS servers to theirs and not changing it back (and harvesting their precious data as a result). Unless this comment chain blows up, this makes it to mainstream media, or Google VPN ends up on malware lists... this will not change. In other words, the benefits far outweigh the costs for google.

If you are posting here about this issue, then this product is not for you, it was never intended for you, and if you don't like it you can either shut up and take it, or go elsewhere. This product is for people who don't even know what a "DNS server" is. This "mistake" or "bug" is a business decision, plain and simple. Google does not care about you and never did.

[Mr-McMuffin]

Submit it to new articles and DM all the google devs here until they fix this issue.

Its unacceptable that google still hasnt fixed this issue since first posted about it almost 5 months ago. Everyone in here can do their part making nosie about this issue, the louder we are the more likely it will be fixed.

Go into all the google dev githubs and refer to this thread getting patched.

[SplatManDK]

Dear [ryanl], and any other Googler reading here.

That was a really really bad answer. Honestly. It tries to explain away shoddy behaviour in the software, but (perhaps deliberately) ignores obvious problems with the "solution".

1.) This software has NO BUSINESS messing with the DNS settings of network adapters that are not part of the VPN client. Even if you insist on changing the DNS settings for the VPN connection, you should obviously ONLY change the DNS settings for the virtual adapter used by the VPN itself. There is no valid technical reason for altering the configuration of adapters that are totally unrelated to your software. If you claim this is "as designed" then it's an extremely poor design, and you should take responsibility for that. You might be better off describing this as a bug, to maintain at least some level of credibility going forward.

2.) Permanently changing DNS entries, even when users are not using the VPN service, is completely unacceptable. There are a million different reasons in the world for having some specialized configuration - and that is exactly why they're "configurations". It is highly inappropriate to take ownership of this configuration, for scenarios and usecases that are totally unrelated to your product. As with the former point, claiming that this is "as designed" is just embarrassing. You are effectively breaking local DNS lookups permanently with this behaviour. You can't claim that nobody needs local DNS, or that using local DNS is somehow an "exotic edge case". Most local networks use DNS for lot's of things. Even private networks. Almost every corporate network does, for domain/security services.

3.) Silently reverting configuration changes, after a user has changed them to whatever they believe is the most appropriate for them, is about the worst practice you can EVER make in any platform or operating system. I realize this practice may be what you are used to on Android or on Chromebooks, but those devices don't generally provide users with access to this level of configuration. However, Windows, Linux and OSX absolutely does. If you truly want to do this kind of thing, your software should detect the discrepancy in configuration and then ASK users what they want. Your silent-overwrite policy is massively violating established best-practice. It's made worse by the fact that you do this for ALL network adapters, not just the virtual adapter utilized by the VPN software. It's truly a "WTAF moment".

4.) Not reverting users to their original configuration when the software is uninstalled is bad practice and absolutely not expected behaviour. When a user decides - for whatever reason - that your software is not a good match for their usecases, they have a reasonable expectation that everything should revert back to the original state. That doesn't happen. Your software does not clean up it's own mess when uninstalled, but leaves artifacts and improper configuration behind. It's lazy and inexcusable. I strongly suspect that an Android app with similar behaviour would get booted from Play Store.

There are other issues, such as some users having difficulties regaining control of their configuration even after the software has been uninstalled. These should obviously also be investigated. But at least those can be registered as proper bugs ... for the uninstaller.

[rpresser]

It's a VPN product, not a "all your DNS is belong to us" product. You have severely dropped the ball here, Google. From time to time I have toyed with the idea of exploring your VPN product, but now that I've read this, it's a hard no, forever.

[rpresser]

We'll consider adding this to a future release of the app.

I think you better do more than "consider" it. As many here have extensively laid out, your actions on this product make you look like the data-greedy insensitive a-hole that everyone believes Google to be anyway these days.

[compuguy]

Submit it to new articles and DM all the google devs here until they fix this issue.

Its unacceptable that google still hasnt fixed this issue since first posted about it almost 5 months ago. Everyone in here can do their part making nosie about this issue, the louder we are the more likely it will be fixed.

Go into all the google dev githubs and refer to this thread getting patched.

Ars Technica has posted an article on this: https://arstechnica.com/gadgets/2024/04/users-say-googles-vpn-app-breaks-the-windows-dns-settings/

[varadero]

It looks like such kind of behavior is not only unprofessional but intentionally criminal. I am sending a signal to European institutions to start investigation against Google in EU for this blatant theft of communication metadata. I advise others to do the same.

[buhtz]

To protect users privacy, the Google One VPN deliberately sets DNS to use Google's DNS servers.

How absurd and cheeky it is to equate the terms privacy and Google. The terms contradict each other. Do you seriously believe in what you have written there?

[buhtz]

Google please spend your time optimising products instead of advertising!

Googles "product" is not there software but their "users".

[pschneider1968]

Unless Google changes this behaviour and respects my DNS settings, Google One VPN has to be regarded as spyware, intentionally snooping on and gathering DNS traffic.

This is just one additional point of evidence that Google cannot be trusted.

[joramk]

We think this is a good default for most users.

Can you please clarify, is this an official statement from Google or is it just your own opinion?

[SplatManDK]

On Windows, Google One VPN changes the DNS even for the Bluetooth adapter. That's ridiculous. On macOS, Google One VPN ignores the DNS I set up for the system.

• VPN is one service, and DNS is another service.
• Google One VPN service must not impose the DNS service used on my system.

I have a paid DNS service, and I want to use it. We have to look into this issue as if it is illegal to do that. Google cannot deny access to a DNS service. This may be a case for a lawsuit.

You're right that changing DNS even for the BT adapter is bonkers.

Lawsuit? not so much. That requires malicious intent. By the look of things here, that's not the case. It looks more like a case of an inexperienced product owner leading a team of inexperienced developers. Or, in simpler terms: this is just a sloppy product that got shipped too fast with little-to no quality assurance. That means Google is only liable for direct damages - which is a liability they have already addressed (read: denied) in the TOS.

No lawsuit.

[groumfi]

Another issue is that it prevents name resolution over the LAN As my ADSL box (192.168.1.1) is setup as DHCP & DNS server, it is able to resolve LAN hostnames (eg: pcserveur.home, myhpprinter.home, etc.) Once Google VPN has run once, it is no more possible unless I revert back the DNS to "Auto" of all adapters This is really a bug, not a security feature

[pschneider1968]

On Windows, Google One VPN changes the DNS even for the Bluetooth adapter. That's ridiculous. On macOS, Google One VPN ignores the DNS I set up for the system.

• VPN is one service, and DNS is another service.
• Google One VPN service must not impose the DNS service used on my system.

I have a paid DNS service, and I want to use it. We have to look into this issue as if it is illegal to do that. Google cannot deny access to a DNS service. This may be a case for a lawsuit.

You're right that changing DNS even for the BT adapter is bonkers.

Lawsuit? not so much. That requires malicious intent. By the look of things here, that's not the case. It looks more like a case of an inexperienced product owner leading a team of inexperienced developers. Or, in simpler terms: this is just a sloppy product that got shipped too fast with little-to no quality assurance. That means Google is only liable for direct damages - which is a liability they have already addressed (read: denied) in the TOS.

No lawsuit.

They have been made aware of this illicit behaviour of their product, HERE, and they are not fixing it. So it is clearly intentional, which to my belief it already was in the first place.

[macjoel1991]

Don't know if anyone else noticed yet but there is also a issue logging into a lot of wifis' in public places that have a page where you have to agree to a policy first. It won't launch the page at all until you disconnect from the vpn. Seems to be in places that run unifi mostly. Openwrt based seems mostly unaffected but that's pretty rare these days.

[EmmaKnijn]

Can confirm this is happening on my end. It even breaks the entire networking stack for me when connecting because my network doesn't allow changing DNS addresses. Which also breaks Google VPN along with the rest of the networking when the VPN is off.

[DenyDarko]

Guys you really think that's a bug and not a carefully considered decision? There's a good reason this service is almost free.

99,9% of the users won't even notice (it's for their own good after all) and Google will analyse the queries in the meantime 😁

The best this can go is an implementation of a burried setting that'll allow customising the resolvers 😅

[myfuturedream]

Guys you really think that's a bug and not a carefully considered decision? There's a good reason this service is almost free.

99,9% of the users won't even notice (it's for their own good after all) and Google will analyse the queries in the meantime 😁

The best this can go is an implementation of a burried setting that'll allow customising the resolvers 😅

Agree that ！

[MstWntd]

OK, so at first I was furious at one vpn.. but I have come to realise that I just didn't know enough..

as it turns out many if not all major/serious vpn providers roll out their own dns with their vpn service (I googled this so take it for its worth)

the way that this is countered is by routing all traffic on your router to port 53 on tcp and udp to your dns.. and adding a rule to exclude your dns from this.. job done..

I don't like the subtlety with which it was done, it caused me a headache and wasted my time, but now I know better..

[EnormousSnail]

OK, so at first I was furious at one vpn.. but I have come to realise that I just didn't know enough..

as it turns out many if not all major/serious vpn providers roll out their own dns with their vpn service (I googled this so take it for its worth)

the way that this is countered is by routing all traffic on your router to port 53 on tcp and udp to your dns.. and adding a rule to exclude your dns from this.. job done..

I don't like the subtlety with which it was done, it caused me a headache and wasted my time, but now I know better..

The problem isn't google routing DNS queries to their DNS servers, I would actually expect this for a commercial VPN product like this. The problem is that the behavior is not reverted when turning the VPN off or uninstalling the software. User defined DNS settings (even if they are the default ISP DNS servers) should only be altered when the tunnel is active.

Google leaves their DNS settings there after turning the tunnel off or uninstalling the software, and to add to the steaming pile, they bury it in the settings so that it would be difficult for an average user to reverse it. If you don't undo what google has done in just the right way, it will revert back to Google's DNS servers after you think you have removed all this nonsense.

Then, they turn around and claim its for "your privacy". Hey google? if this is really for our privacy, why aren't you forwarding requests directly to authoritative DNS servers with unbound (and only when the tunnel is active)? That would save you the overhead of handling requests by kicking the can down the road to unbound and the authoritative DNS servers for the query .... oh yeah, that's right, this has nothing to do with the users "privacy", and has everything to do with google collecting your data.

I would be willing to wager that this little "mistake" or "privacy feature" or whatever you want to call it is likely the only reason this product even exists in the first place. Without the financial incentive of vacuuming in all these DNS queries for the lifetime of the computer for most of the "victims", this product would have never seen the light of day.