A recent discovery by a Mullvad VPN user has uncovered a concerning privacy issue with Android devices. Despite having the “Always-on VPN” feature enabled with the “Block connections without VPN” option, Android devices are leaking DNS queries when switching VPN servers.
The “Always-on VPN” feature is meant to initiate the VPN service upon device boot-up and maintain it while the device is in use. Enabling the “Block Connections Without VPN” option, also known as a kill switch, should ensure that all network traffic passes through the VPN tunnel to prevent prying eyes from monitoring user web activity.
However, Mullvad found that even with these security features enabled on the latest Android OS version (Android 14), a bug in the system is causing DNS information to leak. This leak occurs when using apps that directly call the getaddrinfo C function.
According to Mullvad, the DNS traffic leak occurs when a VPN is active without a configured DNS server or when a VPN app re-configures the tunnel, crashes, or is forced to stop. This issue affects all Android VPN apps, not just Mullvad.
Mullvad suggests a temporary solution for one of the DNS leak scenarios by setting a bogus DNS server while the VPN app is active. However, a fix for the VPN tunnel reconnect DNS query leak has not yet been found.
In response to these findings, Mullvad emphasizes that these issues should be addressed at the OS level to protect all Android users, regardless of which VPN apps they use. The privacy risks posed by DNS traffic leaks can expose user locations and online activities.
Google has acknowledged the report and stated that Android security and privacy are top priorities. They are currently investigating the findings.
Given the seriousness of this issue, users may want to consider avoiding sensitive activities on Android devices or implementing additional safeguards until Google resolves the bug and updates older Android versions.
