A Mullvad VPN user has discovered a significant privacy vulnerability on Android devices, where DNS queries leak when switching VPN servers, even with robust security settings enabled. The “Always-on VPN” feature, designed to maintain a constant VPN connection, and the “Block connections without VPN” option, intended as a kill switch to ensure all network traffic passes through the VPN, are both compromised by this bug. This issue was identified during an examination conducted by Mullvad on April 22 and affects even the most recent version of Android, Android 14.
Mullvad’s investigations revealed that the DNS leaks are primarily due to calls made by apps to the getaddrinfo C function, which bypasses the Android APIs designed to handle such queries securely through the VPN. Notably, popular applications like Google Chrome are examples of apps that directly use getaddrinfo, thus contributing to this problem. Despite the security settings, this Android bug exposes user DNS traffic under certain conditions, such as when a VPN app reconfigures the tunnel, crashes, or stops forcefully.
In response to discovering this vulnerability, Mullvad suggested a temporary mitigation technique, which involves setting a bogus DNS server while the VPN is active. This approach helps prevent DNS leaks when users switch to another server or alter the DNS server settings. However, they have yet to find a solution for leaks that occur when the VPN tunnel needs to reconnect, highlighting a broader issue affecting all Android VPN applications.
The situation calls for a more comprehensive fix at the operating system level to protect user data privacy across all applications, regardless of their method of resolving domain names. Mullvad emphasized that these workarounds should not be necessary and that the underlying issue should be resolved by Android developers to safeguard all users. Google, aware of the problem, stated that Android security and privacy are top priorities and that they are investigating the findings to address these vulnerabilities effectively.
