Mullvad VPN has confirmed the existence of critical DNS leak problems in certain Android VPN apps stemming from inherent bugs in the Android operating system.
The issue first came to light on April 22, 2024, when a user reported a DNS leak on Reddit while toggling Mullvad VPN’s “Block connections without VPN” setting on Android. After receiving the reports, Mullvad initiated an internal investigation, confirming the leak and identifying additional scenarios under which DNS traffic could escape the confines of the VPN tunnel.
Mullvad’s investigation revealed the existence of two scenarios leading to DNS leaks, namely:
- If the VPN is active without any DNS server configured, leaks can occur.
- Brief leaks occur while the VPN app is being reconfigured or if it crashes.
The investigation pinpointed that leaks were specifically linked to apps that use the C function ‘getaddrinfo’ to resolve domain names, such as the Chrome browser. This behavior persisted despite the “Always-on VPN” and “Block connections without VPN” settings being enabled, which contradicts expected OS behavior.
The leaks have been confirmed across multiple Android versions, including the latest, Android 14. Mullvad VPN has reported these issues to Google and recommended improvements. In the meantime, Mullvad plans to implement a workaround by setting up a bogus DNS server to mitigate the leaks until the OS establishes a more permanent solution.
The issue has echoed across the Android user community, with many confirming the DNS leaks via various tests and sharing their concerns. GrapheneOS, another involved party, reported similar findings on Mastodon regarding DNS and local network multicast leaks, indicating a broader systemic issue within Android’s handling of VPN connections.
Android users relaying on VPNs for privacy should verify the products they use incorporate DNS leak prevention measures.
Until Google resolves these OS-level issues, it is important for users to monitor the situation closely and apply security updates as soon as they become available.
Mullvad VPN has also shared steps to reproduce the leaks on its blog post, to help users determine if the product they yse is vulnerable to the mentioned flaws.
DNS leaks can have severe repercussions on the user’s privacy and security, including exposure of browsing history, loss of anonymity, elevated risk of surveillance, and inability to bypass internet censorship measures.
In 2022, Mullvad highlighted broader problems in Android, where many VPN clients leaked various types of data—including source IP addresses, DNS lookups, HTTPS traffic, and possibly NTP traffic—every time the device connects to a WiFi network.
The recent report focuses more narrowly on DNS leaks occurring under specific circumstances, such as when the VPN is being reconfigured or if it crashes, indicating that Google previously implemented an inadequate/incomplete fix.