We were recently made aware of multiple potential DNS leaks on Android. They stem from bugs in Android itself, and only affect certain apps.
You must log in or register to comment.
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
- Don’t promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
Chat rooms
-
[Matrix/Element]Dead
much thanks to @gary_host_laptop for the logo design :)
- 0 users online
- 84 users / day
- 537 users / week
- 1.5K users / month
- 6.58K users / 6 months
- 1 subscriber
- 2.32K Posts
- 54K Comments
- Modlog
I think the problem is Reddit user (who Mullvad cites) not knowing that the Private DNS feature in AOSP/Android defaults to Google or Cloudflare DNS, and that you need to set a custom DNS of your choice to prevent this.
AdGuard provides a whole list of DNS providers to pick from. Pick a hostname from DNS-over-tls row for any provider, remove the “tls://” part and enter the rest in Private DNS custom option.
https://adguard-dns.io/kb/general/dns-providers/
mine gives me three choices. Off, Automatic, and Private DNS (type in your own). should i set mine to off then? will that prevent the leak?
I am not sure what off does. Might need to recheck Android documentation. But I remember the custom one definitely uses whatever you set, and nothing else. No Google/Cloudflare DNS.
For example, if you like AdGuard, you can just enter
dns.adguard.comthere.so automatic will allow the leak?
Automatic on Android always falls back to Google or Cloudflare DNS in the same way systemd DNS resolving works. Or if that does not work, ISP is being sent whatever domain queries user is requesting directly. I am going off from connecting the dots between what I know about Private DNS from Android documentation, and what the Reddit poster did not mention who Mullvad cited in their blog post. I am assuming that the time gap between Android’s killswitch turning off and on with always-on settings is giving time for DNS queries to go through (detected by Wireshark), and since the default DNS provider is almost never set by people on Android, this may be happening.
If you do this, you’ll be using the DNS you assign instead of using the VPN’s DNS, as intended. That will make you stand out from the rest of the same VPN users, effectively affecting privacy.
Either stand out or let your ISP or Google/Cloudflare or VPN read all your domain visit queries. It is better to not let ISP or Big Tech decipher your internet history for obvious reasons.
One DoT provider you could choose is… Mullvad: https://mullvad.net/en/help/dns-over-https-and-dns-over-tls
I like AdGuard, but any decent provider is going to be fine except for Google/Cloudflare or western Big Tech ones.