Some apps on Android don't use Connlib DNS sentinels

[jamilbk]

It looks like some apps on Android are not using the DNS sentinel set by connlib in the BuildVPNService function, and are instead using the DNS servers from the WiFi interface instead.

Apps that work fine:

• Chrome

Apps that don't:

• AndroDNS on Android is not using the 100.100.111.1 Sentinel
• ODK-Collect app may not be using the 100.100.111.1 Sentinel either

Some things to note:

• AlwaysOn VPN is enabled
• Block traffic not going through the VPN is enabled (set by MDM)

[jamilbk]

They seem to be using the DNS servers from the WiFi interface

[ReactorScram]

Same as this? https://news.ycombinator.com/item?id=40247604

https://mullvad.net/en/blog/dns-traffic-can-leak-outside-the-vpn-tunnel-on-android

We were recently made aware of multiple potential DNS leaks on Android. They stem from bugs in Android itself, and only affect certain apps.

[jamilbk]

Yeah I saw that. I don't think it's the same issue, but need to triage further.

One thing of note is that the offending apps are installed directly via APK. Not sure if that's a clue.

[jamilbk]

Able to reproduce using the following steps:

• Build, launch Firezone in Android simulator
• Install AndroDNS from https://github.com/gryphius/androdns/releases by dragging APK onto simulator window
• Try resolving a Firezone Resource

[jamilbk]

The problem with AndroDNS is they have their DNS server detection code which doesn't correctly use the servers set by our VPN service:

https://github.com/gryphius/androdns/blob/master/app/src/main/java/androdns/android/leetdreams/ch/androdns/DnsServersDetector.java#L156

[jamilbk]

Another issue is that when "Block connections that don't go through the VPN" is enabled, Android stops using the VPN DNS servers for lookups and instead uses the servers from the default network interface instead.