Mullvad DNS can't resolve some domain names

[Saroumane]

Issue report

Ubuntu 23.04 Mullvad App 2023.4

Issue description

It seems that Mullvad DNS can't resolve some domain names that I can resolve with my ISP DNS. Example: trestresbon.fr

with Mullvad VPN ON :

$ dig trestresbon.fr
; <<>> DiG 9.18.12-1ubuntu1.1-Ubuntu <<>> trestresbon.fr
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51180
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;trestresbon.fr.            IN  A

;; Query time: 160 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Mon Aug 21 13:45:38 CEST 2023
;; MSG SIZE  rcvd: 43

with Mullvad VPN OFF :

$ dig trestresbon.fr

; <<>> DiG 9.18.12-1ubuntu1.1-Ubuntu <<>> trestresbon.fr
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64344
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;trestresbon.fr.            IN  A

;; ANSWER SECTION:
trestresbon.fr.     3600    IN  A   213.186.33.4

;; Query time: 20 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Mon Aug 21 13:47:37 CEST 2023
;; MSG SIZE  rcvd: 59

More details : https://www.nslookup.io/domains/trestresbon.fr/dns-records/#authoritative It looks like major DNS providers like Cloudflare or Google don't have it in their cache, but the authoritative DNS server is answering.

Let's check nameservers : (Mullvad VPN OFF)

$ dig NS trestresbon.fr

; <<>> DiG 9.18.12-1ubuntu1.1-Ubuntu <<>> NS trestresbon.fr
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1785
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;trestresbon.fr.            IN  NS

;; ANSWER SECTION:
trestresbon.fr.     3395    IN  NS  dns110.ovh.net.
trestresbon.fr.     3395    IN  NS  ns110.ovh.net.

;; ADDITIONAL SECTION:
ns110.ovh.net.      171374  IN  A   213.251.128.154
dns110.ovh.net.     3557    IN  AAAA    2001:41d0:1:4a9a::1

;; Query time: 12 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Mon Aug 21 13:51:02 CEST 2023
;; MSG SIZE  rcvd: 135

Why Mullvad DNS doesn't provide DNS resolution for this domain name ?

[vistor-m]

Hi there. Mullvad is doing DNSSEC validation whenever possible. DNSSEC signing is activated for this domain but they have misconfigured it: https://dnsviz.net/d/trestresbon.fr/dnssec/.

One of the main purposes of DNSSEC is to allow for digital signatures to ensure validity and prevent spoofing, so we are simply blocking access to it when DNSSEC validation fails and return SERVFAIL as in your example.

If you run the same dig command with +cd at the end to skip the DNSSEC-check it will return the IP-address.

[Saroumane]

Thank you for the explanation and the trick with dig It would be nice if browsers were able to display the real reason when they fail to load. For example chromium always shows "DNS PROBE FINISHED NXDOMAIN", and I can't tell if it's because :

• domain name does not exist
• or Mullvad DNS has filtered it (adblock list)
• or there is another problem like this bad DNSSEC configuration. (This problem seems quite common)

I guess some people would be interested if Mullvad would offer a new set of DNS without this DNSSEC check (to maximize websites compatibility, despite the spoofing risk)

Meanwhile I understand the only way to deal with this situation is to dig/nslookup every failing domain name and use different DNS when needed. (I could also just browse the IP address, but for trestresbon.fr it does not seem to work, I get a 'website not configured' page)

@vistor-m If I use the 'private DNS' setting offered by Mullvad VPN apps, my dns requests are still routed through the VPN tunnel, and the wifi/GSM/LAN network owner can't see them, right ?

[dlon]

If I use the 'private DNS' setting offered by Mullvad VPN apps, my dns requests are still routed through the VPN tunnel, and the wifi/GSM/LAN network owner can't see them, right ?

That depends. If you configure the apps to use a resolver on the internet (such as 8.8.8.8), then DNS queries are sent in the tunnel. If the IP address belongs to a server on your LAN (or, in general, is a private IP), then they are not tunneled.

[Saroumane]

Ok let's say a public DNS. Does the type of DNS request matters ? Do all 3 types (UDP port 53, DNS over TLS, DNS over HTTPS) get routed through the tunnel ? I haven't found explicit confirmation on Mullvad website.

Edit : I tested DoH with Chromium (it's called 'secure DNS' in the privacy settings) and VPN 'On' : https://mullvad.net/en/check sees it as a 'DNS leak', but I'm not sure of the exact nature of the leak. Does the public DNS only sees the domain names requested, and Mullvad VPN server as 'requesting' IP ? Or does it also see my real IP ?

[dlon]

Do all 3 types (UDP port 53, DNS over TLS, DNS over HTTPS) get routed through the tunnel ?

Typically, all three types are routed through the VPN. Moreover, any traffic outside the tunnel is blocked by the firewall, with exceptions for essential protocols, traffic to the VPN server itself, and sometimes LAN and custom DNS.

[...] sees it as a 'DNS leak'

The check reports a leak whenever queries come from a server that isn't one of Mullvad's resolvers. In your case, this is expected.

Does the public DNS only sees the domain names requested, and Mullvad VPN server as 'requesting' IP ?

Correct.

[faern]

I'm closing this. IMO you should probably contact website providers that have configured their domains wrong. But this is mostly a question not about our app, but about our infrastructure. For non-app related questions please contact support@mullvadvpn.net