DNS leak in the "Resolving Host" process

[rezmir99]

General information

1. Android Version: 11
2. Android Vendor/Custom ROM: MIUI
3. Device: Xiaomi Redmi note 10 pro
4. Version of the app (version number/play store version/self-built): official build 0.7.33

Description of the issue

When I try to connect to a VPN server, in the resolving host process, an incorrect IP is returned instead of the server IP.

• Because the process of resolving host takes place before connecting to the VPN and is not encrypted by the VPN tunnel, it can lead to DNS leakage.
• My ISP (Country: Iran) uses DNS injection method to manipulate the IP of a domain requested by the user. Therefore, if the DNS request is not encrypted, its IP will be manipulated by ISP. It is worth mentioning that "DNS over TLS" protocol is completely blocked in Iran and the only encrypted protocol that can be used to encrypt DNS requests is "DNS over HTTPS". Millions of people in Iran have trouble connecting to VPN because of this problem.
• Using "Override DNS Settings by Server" option can't solve the problem, because DNS leakage occurs before connection to the server.

Suggestions to solve the problem

• Use "DNS over HTTPS" protocol to determine the server IP in the "Resolving host" process.
• Add a feature to route all DNS requests at any stage (including the connection process) to a port on the local host. In this case, the user can use another app (such as Tor/Orbot or InvisiblePro) for DNS requests.
• Integrate DNSCrypt-proxy binary (available for android) in the app and use that binary for DNS requests.

Log

2022-02-21 18:26:07 official build 0.7.33 running on Redmi M2101K6G (sweet), Android 11 (RKQ1.200826.002) API 30, ABI arm64-v8a, (Redmi/sweet_tr/sweet:11/RKQ1.200826.002/V12.5.6.0.RKFTRXM:user/release-keys)
2022-02-21 18:26:07 Building configuration…
2022-02-21 18:26:07 started Socket Thread
2022-02-21 18:26:07 Network Status: CONNECTED  to WIFI 
2022-02-21 18:26:07 Debug state info: CONNECTED  to WIFI , pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 
2022-02-21 18:26:07 Debug state info: CONNECTED  to WIFI , pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 
2022-02-21 18:26:07 P:WARNING: linker: Warning: "/data/app/~~P5ewg22Id3zVe7z0YXULAg==/de.blinkt.openvpn-auxa4Ja3aEIixBJ9GySlSQ==/lib/arm64/libovpnexec.so" is not a directory (ignoring)
2022-02-21 18:26:07 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations. 
2022-02-21 18:26:07 Current Parameter Settings:
2022-02-21 18:26:07   config = '/data/user/0/de.blinkt.openvpn/cache/android.conf'
2022-02-21 18:26:07   mode = 0
2022-02-21 18:26:07   show_ciphers = DISABLED
2022-02-21 18:26:07   show_digests = DISABLED
2022-02-21 18:26:07   show_engines = DISABLED
2022-02-21 18:26:07   genkey = DISABLED
2022-02-21 18:26:07   genkey_filename = '[UNDEF]'
2022-02-21 18:26:07   key_pass_file = '[UNDEF]'
2022-02-21 18:26:07   show_tls_ciphers = DISABLED
2022-02-21 18:26:07   connect_retry_max = 0
2022-02-21 18:26:07 Connection profiles [0]:
2022-02-21 18:26:07   proto = tcp-client
2022-02-21 18:26:07   local = '[UNDEF]'
2022-02-21 18:26:07   local_port = '[UNDEF]'
2022-02-21 18:26:07   remote = 'nl-free-04.protonvpn.com'
2022-02-21 18:26:07   remote_port = '5995'
2022-02-21 18:26:07   remote_float = DISABLED
2022-02-21 18:26:07   bind_defined = DISABLED
2022-02-21 18:26:07   bind_local = DISABLED
2022-02-21 18:26:07   bind_ipv6_only = DISABLED
2022-02-21 18:26:07   connect_retry_seconds = 2
2022-02-21 18:26:07   connect_timeout = 120
2022-02-21 18:26:07   socks_proxy_server = '[UNDEF]'
2022-02-21 18:26:07   socks_proxy_port = '[UNDEF]'
2022-02-21 18:26:07   tun_mtu = 1500
2022-02-21 18:26:07   tun_mtu_defined = ENABLED
2022-02-21 18:26:07   link_mtu = 1500
2022-02-21 18:26:07   link_mtu_defined = DISABLED
2022-02-21 18:26:07   tun_mtu_extra = 32
2022-02-21 18:26:07   tun_mtu_extra_defined = ENABLED
2022-02-21 18:26:07   mtu_discover_type = -1
2022-02-21 18:26:07   fragment = 0
2022-02-21 18:26:07   mssfix = 1492
2022-02-21 18:26:07   mssfix_encap = ENABLED
2022-02-21 18:26:07   explicit_exit_notification = 0
2022-02-21 18:26:07   tls_auth_file = '[INLINE]'
2022-02-21 18:26:07   key_direction = 1
2022-02-21 18:26:07   tls_crypt_file = '[UNDEF]'
2022-02-21 18:26:07   tls_crypt_v2_file = '[UNDEF]'
2022-02-21 18:26:07 Connection profiles [1]:
2022-02-21 18:26:07   proto = tcp-client
2022-02-21 18:26:07   local = '[UNDEF]'
2022-02-21 18:26:07   local_port = '[UNDEF]'
2022-02-21 18:26:07   remote = 'nl-free-04.protonvpn.com'
2022-02-21 18:26:07   remote_port = '443'
2022-02-21 18:26:07   remote_float = DISABLED
2022-02-21 18:26:07   bind_defined = DISABLED
2022-02-21 18:26:07   bind_local = DISABLED
2022-02-21 18:26:07   bind_ipv6_only = DISABLED
2022-02-21 18:26:07   connect_retry_seconds = 2
2022-02-21 18:26:07   connect_timeout = 120
2022-02-21 18:26:07   socks_proxy_server = '[UNDEF]'
2022-02-21 18:26:07   socks_proxy_port = '[UNDEF]'
2022-02-21 18:26:07   tun_mtu = 1500
2022-02-21 18:26:07   tun_mtu_defined = ENABLED
2022-02-21 18:26:07   link_mtu = 1500
2022-02-21 18:26:07   link_mtu_defined = DISABLED
2022-02-21 18:26:07   tun_mtu_extra = 32
2022-02-21 18:26:07   tun_mtu_extra_defined = ENABLED
2022-02-21 18:26:07   mtu_discover_type = -1
2022-02-21 18:26:07   fragment = 0
2022-02-21 18:26:07   mssfix = 1492
2022-02-21 18:26:07   mssfix_encap = ENABLED
2022-02-21 18:26:07   explicit_exit_notification = 0
2022-02-21 18:26:07   tls_auth_file = '[INLINE]'
2022-02-21 18:26:07   key_direction = 1
2022-02-21 18:26:07   tls_c

Configuration file

client
dev tun
proto tcp

remote nl-free-06.protonvpn.com 5995
remote nl-free-06.protonvpn.com 8443
remote nl-free-06.protonvpn.com 443

remote-random
resolv-retry infinite
nobind

# The following setting is only needed for old OpenVPN clients compatibility. New clients
# automatically negotiate the optimal cipher.
cipher AES-256-CBC

auth SHA512
verb 3

setenv CLIENT_CERT 0
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun

reneg-sec 0

remote-cert-tls server
auth-user-pass
pull
fast-io

[schwabe]

I understand your problem but I changing OpenVPN's resolving process from using system standard resolver to implementing DNS myself and that has all kinds of problems associated with it. That is not a project that I will undertake any time soon.

[rezmir99]

I understand problems implementing DNS in the app.

However, I think there is a solution that can probably be easily implemented by you. If only the "Resolving host" process happens before creating a VPN connection, the problem can be solved. By doing this, the user can connect to a dns app before connecting to openVPN (which also uses a VPN connection, such as 1.1.1.1 app). As a result, the process of Resolving host is done with the help of dns app and there will be no dns leaks.

Currently this is not possible, Because by pressing the connect button in openvpn, a VPN connection is created, which causes the dns app to be disconnected and the process of Resolving host happens without encryption.

Thanks for your great app and support.