Android is ruining VPN usage due to its DNS leak bug

Attention Android users! If you're using a VPN, it's time to dig into your device's settings to fix the DNS leak vulnerability that's secretly affecting Android devices. This vulnerability continues to leak DNS traffic even when the always-on kill switch is enabled on Android, endangering user privacy.

Even with the kill switch active, a DNS leak can occur on Android

A recent post from Mullvad – known for its Mullvad VPN – points to a serious privacy issue with existing Android devices. The researchers observed a DNS leak vulnerability in the Android system that remains active even with the permanent kill switch, compromising user privacy.

Mullvad researchers discovered this vulnerability after seeing user reports on Reddit that suspected a DNS leak issue on Android. According to your comments, different users tried different VPNs on their respective devices running Android OS (and even GrapheneOS) and the problem persisted.

Following these comments, Mullvad researchers investigated the matter and noted the systemic issue that required resolution. Specifically, the vulnerability occurs with renewed VPN connections. This means that if the user disconnects and reconnects the VPN, or a VPN connection is lost due to tunnel reconfiguration or app crashes, Android will lose the user's DNS for a short period of time. The VPN kill switch and the always-on VPN setting on Android are intended to prevent such leaks, but they don't work as intended.

The researchers observed that this behavior was limited to direct calls to the C function getaddrinfo. Although this limits the scope of the vulnerability, it is actually serious as it directly impacts the Google Chrome browser, which can directly use getaddrinfo and is the most commonly used browser for Android users. (It also comes preinstalled on most Android devices.)

The researchers have shared the technical details and steps to reproduce the DNS leak in their post.

Google has been informed of the error

Following this discovery, Mullvad reported the matter to Google. According to its statement shared with Bleeping Computer, Google is working to fix the issue.

“Android security and privacy are top priorities. We are aware of this report and are reviewing its findings.

However, this means that Android users will still be vulnerable to DNS leaks regardless of the VPN they use until a patch is available.

As a possible workaround, Mullvad recommends setting up a fake DNS server when using the VPN app. This would hide the actual DNS in case of DNS leak events.

Mullvad further clarified that this mitigation should ideally be implemented at the operating system level, rather than the VPN app level, to protect all users end-to-end.

Let us know what you think in the comments.