Private DNS breaks dns66

[JessePeden]

@julian-klode As requested, here are 4 logcat outputs showing before and after results of connecting to the VPN and checking for Hosts file updates. As you can see, DNS66 is disallowing all services from accessing DNS VPN, and there are multiple java errors with DNS resolution. This only began after updating to the February 2020 security update (which you mentioned in another ticket, that you don't have on your Android phone yet) as part of upgrading from Android 9 to Android 10 on February 24, 2020 (when T-Mobile released the update for Samsung Galaxy Note 9 carrier-locked devices).

Before Starting DNS66 VPN.txt After starting DNS66 VPN but before checking for Hosts updates.txt After starting DNS66 VPN and checking for Hosts updates.txt After stopping DNS66 VPN and checking for Hosts updates.txt

Edit: I see you commented that you now have the February 2020 update, but that you're not exibiting any symptoms. I'm curious to know your take on the logcat outputs I posted, then.

[julian-klode]

We received two requests to lookup CloudFlare's 1.1.1.1 server, and that's it. Afterwards we don't receive any more requests. Which likely indicates that private DNS is enabled and fails to work with a partial DNS.

[julian-klode]

If I turn on Private DNS, it does not work for me either.

[JessePeden]

If I turn on Private DNS, it does not work for me either.

So, the incompatibility is with Private DNS? I always have Private DNS enabled (except when connected to very specific networks which it causes problems with) and have never had this issue with resolution until the Android 10 and February 2020 patch update/installation. DNS66 has always worked just fine with Private DNS up until February 24th when those updates got installed.

[julian-klode]

Yes, Private DNS needs to be set to "Off", it's completely incompatible with DNS66. DNS66 is not even capable of speaking DoT or DoH to servers, and there's no way to make it work with that setting. It relies on intercepting DNS requests and filtering out those that are denied.

I can only speculate, but perhaps the Private DNS setting did not work on Samsung and got fixed with the update

[JessePeden]

Yes, Private DNS needs to be set to "Off", it's completely incompatible with DNS66. DNS66 is not even capable of speaking DoT or DoH to servers, and there's no way to make it work with that setting. It relies on intercepting DNS requests and filtering out those that are denied.

I can only speculate, but perhaps the Private DNS setting did not work on Samsung and got fixed with the update

Interesting. No, it definitely worked before the update. I did numerous tests of Private DNS when I first started using it, including packet captures proving it wasn't leaking elsewhere. The only time I couldn't use it was with certain networks that have a EULA before allowing WiFi connectivity. Some of those refused to load if I was using Private DNS, so I used Tasker to detect where I was on one of those to set Private DNS to "Automatic", so it would try but at least fail back to non-private DNS if it needed to. I'll try to create a new Tasker task to detect when I'm using DNS66 and to completely disable/enable Private DNS accordingly.

Thank you for finding the troublemaker.

[JessePeden]

No go, with the Tasker task. There is no way to specify which VPN tunnel it should look for - it only supports a basic "Is VPN in use: yes/no" variable. I may have to forfeit using Private DNS, I suppose.

[JessePeden]

I've modified my other Tasker profile and switched it to simply detect whether I'm on VPN or not, and to either enable or disable Private DNS entirely, rather than it being based on which WiFi network I'm on or which VPN app/profile I'm using. This seems to be the only option at the moment.

[julian-klode]

I was wondering if I can refuse to start and print and error if private DNS is enabled, is there a way for me to check it?

[JessePeden]

In Tasker, the variable it looks for to set/get is aptly named "private_dns_mode" and its values include "off", "opportunistic" (which is named Automatic in the actual settings UI), and "hostname" (which is named "Private DNS provider hostname" in the actual settings UI). So, if you query the value of "private_dns_mode" and verify it's set to Off, that should be all that's needed.

I looked at the Android source code and the full path seems to be "android.provider.settings.global.private_dns_mode"

[doctorbracero]

DNS66 stopped working as soon as the security update from February 2020 was installed (unrooted and locked LG V40 on TMobile).

Switching "Private DNS" to "off" fixed the issue.

[JessePeden]

It looks to be caused by the patch for CVE-2020-0028 that was applied in the February 2020 update. You can see what that patch did at https://android.googlesource.com/platform/frameworks/base/+/0929eb918071c1e76fd41b677af0973412f8a098

[binome74]

Switching "Private DNS" to "off" fixed the issue.

I'd quote "fixed" because such a "fix" is actually a security issue since it prevents users leverage DoH/DoT protection.

[JiffB]

The same here, on a Huawei Y6 2019 (MRD-LX1) with Android 9 (Pie) unrooted. Thanks to @doctorbracero for the trick that allows DNS66 to run on 3 paws.

I noticed it when DNS66 said it couldn't load updated hosts files because there was no name resolution, switch it to stop allowed these updates.

The only way I'm able to resolve names is to switch the android Private DNS to OFF or AUTO, which is a security risk as, IIRC, no VPN service can be effective when the display's off :(

[zenczykowski]

My understanding is that dns66 provides a VPN with DNS servers (possibly grabbed from underlying network) a.b.c.d and e.f.g.h along with routes a.b.c.d/32 and e.f.g.h/32. So that all traffic to the DNS servers goes through the VPN and can be intercepted by the app.

Wouldn't simply blocking tcp/udp traffic to a.b.c.d:853 a.b.c.d:443 e.f.g.h:853 and e.f.g.h:443 fix this??? (repeat for ipv6)

[djechelon]

I'd like to contribute with my recent experience. I was aware of the theory of DoT/DoH not working on any VPN-based blocker.

But now, with my unrooted Pixel 5 (AOSP 11), I have double-checked and private DNS is enabled on settings. I have enabled DNS66 and none of my ad-based apps show ads.

What was changed in the meantime?

[zenczykowski]

AFAIK it probably depends on whether it's enabled in opportunistic mode or not.

Opportunistic is trivial to block (just block tcp/853) and requires the normally chosen (presumably via DHCP) dns server to support dns over tls (they usually don't) in the first place. Opportunistic mode is really just a toy / proof of concept - but it's really also the best that can be done without forcing the choice of dns provider on the user.

The other mode where you provide an actual dns hostname like 'dns.google' or 'cloudflare-dns.com' and force DNS over TLS can't just be blocked (if you block it you don't get functional DNS so you know you're getting blocked).

On Mon, Nov 2, 2020 at 1:59 AM djechelon notifications@github.com wrote:

I'd like to contribute with my recent experience. I was aware of the theory of DoT/DoH not working on any VPN-based blocker.

But now, with my unrooted Pixel 5 (AOSP 11), I have double-checked and private DNS is enabled on settings. I have enabled DNS66 and none of my ad-based apps show ads.

What was changed in the meantime?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/julian-klode/dns66/issues/383#issuecomment-720367265, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABAR63P33NEPVE2EA5LVWLSNZ7GVANCNFSM4K53A4SQ .

[ignoramous]

As @zenczykowski pointed out, there is likely nothing DNS66 could do here, other than block TCP/853 but then the device would be without any DNS connectivity as Private DNS' implementation doesn't fallback to OS/VPN provided plain-text DNS since Android 10.

Ref: https://github.com/celzero/rethink-app/issues/25

[le9i0nx]

I think there is an elegant solution. dns66 can be such a provider on the phone. and in the settings specify 127.0.0.1 this mode has a plus in that it does not use vpn mode.

[djechelon]

@le9i0nx Listening on a port < 1024 requires rooting, and DNS66 is here to prevent the requirement of rooting. I think your solution is feasible, but there are a few pitfalls.

• DNS address should be https://127.0.0.1:port (where port > 1024)
• A self-signed certificate must be available by DNS66
• The certificate MUST be trusted by Android, this requires the user to add the certificate to CA list for the first time

By the way, DNS-blocking root apps (e.g. AdAway) are particularly faster than DNS-based solution and never crash, since they update the real hosts file on system