Merge branch 'prevent-dns-leaks-in-blocking-states-droid-950'

author: Albin <albin@mullvad.net> 2024-05-08 15:10:46 +0200
committer: Albin <albin@mullvad.net> 2024-05-08 15:10:46 +0200
commit: 9869614e08caa819a36877633ccc0bf981f29c76 (patch)
tree: 92fc83e33a2d36e9d9e2cb4ba2758dd9fa531252 /android
parent: 44dcda5625ddbbc2bceb4689de28d837f6526ced (diff)
parent: 25bc1977eb86dc8458a5b247fd75e49dda2d3ce4 (diff)
download: mullvadvpn-9869614e08caa819a36877633ccc0bf981f29c76.tar.xz
mullvadvpn-9869614e08caa819a36877633ccc0bf981f29c76.zip
2 files changed, 20 insertions, 0 deletions
diff --git a/android/CHANGELOG.md b/android/CHANGELOG.md
index e25d01f58d..811fc2dcc7 100644
--- a/android/CHANGELOG.md
+++ b/android/CHANGELOG.md
@@ -22,6 +22,9 @@ Line wrap the file at 100 chars.                                              Th
 * **Security**: in case of vulnerabilities.
 
 ## [Unreleased]
+### Security
+- Fix DNS leaks in blocking states or when no valid DNS has been configured due to an underlying OS
+  issue. In these cases a dummy DNS will be set to prevent leaks.
 
 
 ## [android/2024.2-beta1] - 2024-04-17
diff --git a/android/lib/talpid/src/main/kotlin/net/mullvad/talpid/TalpidVpnService.kt b/android/lib/talpid/src/main/kotlin/net/mullvad/talpid/TalpidVpnService.kt
index 94b097fe13..76abde2a01 100644
--- a/android/lib/talpid/src/main/kotlin/net/mullvad/talpid/TalpidVpnService.kt
+++ b/android/lib/talpid/src/main/kotlin/net/mullvad/talpid/TalpidVpnService.kt
@@ -2,6 +2,7 @@ package net.mullvad.talpid
 
 import android.net.VpnService
 import android.os.ParcelFileDescriptor
+import android.util.Log
 import java.net.Inet4Address
 import java.net.Inet6Address
 import java.net.InetAddress
@@ -103,6 +104,18 @@ open class TalpidVpnService : VpnService() {
                     }
                 }
 
+                // Avoids creating a tunnel with no DNS servers or if all DNS servers was invalid,
+                // since apps then may leak DNS requests.
+                // https://issuetracker.google.com/issues/337961996
+                if (invalidDnsServerAddresses.size == config.dnsServers.size) {
+                    Log.w(
+                        "mullvad",
+                        "All DNS servers invalid or non set, using fallback DNS server to " +
+                            "minimize leaks, dnsServers.isEmpty(): ${config.dnsServers.isEmpty()}"
+                    )
+                    addDnsServer(FALLBACK_DUMMY_DNS_SERVER)
+                }
+
                 for (route in config.routes) {
                     addRoute(route.address, route.prefixLength.toInt())
                 }
@@ -148,4 +161,8 @@ open class TalpidVpnService : VpnService() {
     private external fun defaultTunConfig(): TunConfig
 
     private external fun waitForTunnelUp(tunFd: Int, isIpv6Enabled: Boolean)
+
+    companion object {
+        private const val FALLBACK_DUMMY_DNS_SERVER = "192.0.2.1"
+    }
 }
author	Albin <albin@mullvad.net>	2024-05-08 15:10:46 +0200
committer	Albin <albin@mullvad.net>	2024-05-08 15:10:46 +0200
commit	9869614e08caa819a36877633ccc0bf981f29c76 (patch)
tree	92fc83e33a2d36e9d9e2cb4ba2758dd9fa531252 /android
parent	44dcda5625ddbbc2bceb4689de28d837f6526ced (diff)
parent	25bc1977eb86dc8458a5b247fd75e49dda2d3ce4 (diff)
download	mullvadvpn-9869614e08caa819a36877633ccc0bf981f29c76.tar.xz mullvadvpn-9869614e08caa819a36877633ccc0bf981f29c76.zip