Mullvad VPN has confirmed the existence of critical DNS leak problems in certain Android VPN apps stemming from inherent bugs in the Android operating system.
The issue first came to light on April 22, 2024, when a user reported a DNS leak on Reddit while toggling Mullvad VPN’s “Block connections without VPN” setting on Android. After receiving the reports, Mullvad initiated an internal investigation, confirming the leak and identifying additional scenarios under which DNS traffic could escape the confines of the VPN tunnel.
Mullvad’s investigation revealed the existence of two scenarios leading to DNS leaks, namely:
- If the VPN is active without any DNS server configured, leaks can occur.
- Brief leaks occur while the VPN app is being reconfigured or if it crashes.
The investigation pinpointed that leaks were specifically linked to apps that use the C function ‘getaddrinfo’ to resolve domain names, such as the Chrome browser. This behavior persisted despite the “Always-on VPN” and “Block connections without VPN” settings being enabled, which contradicts expected OS behavior.
The leaks have been confirmed across multiple Android versions, including the latest, Android 14. Mullvad VPN has reported these issues to Google and recommended improvements. In the meantime, Mullvad plans to implement a workaround by setting up a bogus DNS server to mitigate the leaks until the OS establishes a more permanent solution.
The issue has echoed across the Android user community, with many confirming the DNS leaks via various tests and sharing their concerns. GrapheneOS, another involved party, reported similar findings on Mastodon regarding DNS and local network multicast leaks, indicating a broader systemic issue within Android’s handling of VPN connections.
Android users relying on VPNs for privacy should verify that the products they use incorporate DNS leak prevention measures.
Until Google resolves these OS-level issues, it is important for users to monitor the situation closely and apply security updates as soon as they become available.
Mullvad VPN has also shared steps to reproduce the leaks on its blog post, to help users determine if the product they yse is vulnerable to the mentioned flaws.
DNS leaks can have severe repercussions on the user’s privacy and security, including exposure of browsing history, loss of anonymity, elevated risk of surveillance, and inability to bypass internet censorship measures.
In 2022, Mullvad highlighted broader problems in Android, where many VPN clients leaked various types of data—including source IP addresses, DNS lookups, HTTPS traffic, and possibly NTP traffic—every time the device connects to a WiFi network.
The recent report focuses more narrowly on DNS leaks occurring under specific circumstances, such as when the VPN is being reconfigured or if it crashes, indicating that Google previously implemented an inadequate/incomplete fix.
Optimum
This is definitely an Android OS issue and it is coming from Android Network diagnostic tool. The same way as with Captive Portal (when you change WIFI access point), on DNS change, Android send a packet with your real DNS provider with 6 randomly generated numbers appended (presumable to somewhat anonymize you) to Google servers. Because it is a system process, as opposed to an application, the former will go around VPN switch kill.
Anonymous
I dont get why you would even use a VPN on a phone besides maybe being able too access blocked sites on restricted public WIFI . A phone is not designed for security . Period . A phone is a device you put your identity on and let it talk to the world . You cant stop it from doing this core function .
Alex Lekander
Using a VPN on your phone will also prevent your cell carrier from snooping on every website you visit, which is a major privacy benefit.
Dimitiri
I’ve noticed that many Android apps actually detect my real location, even when I’m using a VPN with a mock location feature. Despite disabling all location services on Android, including Google Emergency services, I’ve experienced this multiple times.
It’s quite interesting because while I can set a mock location with a VPN and see the fake location on Google Maps, some apps like WeChat, WhatsApp, Meta, and others are able to pinpoint my actual location. One way to test this is by installing WeChat (just as an example), setting a mock location with a VPN, and then using the “find friends nearby” feature. You’ll likely observe that the users displayed are all near your physical location.
The only exception I’ve found to this is when using an Android Emulator like Bluestacks.
Yayes
time zone ? language ? 4G NETWORK Provider ? ip is just one piece of hiding your location..
bilbo
Is this issue only limited to Mullvad?
RaxnHat
no it’s an Android issue that effects all providers regardless of technology they use.
Christopher
I don’t know much of the mechanics of that particular issue in reddit it but I have experienced something similar very recently on windows PC
I thought my device was compromised and immediately contacted client support – in my case it was surfshark but Mullvad was installed for a month subscription along with the browser, but was not on. I
Long story short, shortly after realizing that I have been a sitting duck all this time thinking that I am surfing safely, I myself discovered the anomaly despite lesser technical knowledge. In the end, I reset the entire network settings after hours of trying different DNS configuration. This incident thought me not to mess with firefox optional DNS configurations if I am connected to vpn. I have had some intense moments though…
BITR
Android users relaying on VPNs for privacy should verify the products they use incorporate DNS leak prevention measures.
– Don’t sound right / needs an ‘and’ beteeen
use incorporate or ‘to’. OR – use, incorpating
, to help users determine if the product they yse is vulnerable to the mentioned flaws.
Hope to help =
Alex Lekander
Thanks BITR, I added a “that” to the sentence and changed “relaying” to “relying”.
“Android users relying on VPNs for privacy should verify that the products they use incorporate DNS leak prevention measures.”
milly
Hello, it’s meaning we can not to use mullvadvpn on or devices? ??
How we can to fix it? ??
Thank’s for answering of you.
Alex Lekander
From the Mullvad investigation:
“We will work around the OS bug by setting a bogus DNS server for now. You can expect a release with this fix soon.”
User
Thank you! Alex. It looks it does not really exist a solution for Android. Sadly, using a VPN is not protecting us. Sadly, many goverments are forcing us to add or photo ID, using the bank app…