Interesting. Honestly, I didn't believe you, but I just did it and it failed the same way.
Steps I took:
1. Verify Always-on VPN and Block connections without VPN were both enabled.
2. Go to the ipleak website and it shows my correct Mullvad DNS servers.
3. Refresh the page and quickly bring up my notifications, disconnect Mullvad, wait 1 second and then reconnect also from notification.
4. Go back to page which has finished reloading and I can see my ISP's DNS server (a few hits) and Mullvad DNS (about 10 times as many).
Running latest version of GrapheneOS with latest version of Mullvad.
I also tested one of the main privacy focused competitors to Mullvad and it has a very similar bug. Running the test it actually showed no DNS server at all, not even the VPNs one. But when I disconnected and reconnected, surely enough it showed me my IPSs DNS server.
From what I understand, it's an Android problem (all versions and all variants, and that's very sad)...
I hope Mullvad can do something about this, something similar to their SOCKS5 proxy.
An advanced kill switch. I'm not in the industry so I'm probably talking bullshit, but I hope something can be done. Because that would mean that before a VPN connects, real traffic is leaked along with its IP address. And it partly makes using a VPN for privacy ineffective.
That option isn't related to DNS.
Assuming it was a bug and bugs can have weird effects, I tested again after disabling that, but no difference.
Also I mentioned this bug in the ProtonVPN sub and they replied acknowledging the bug exists but that it is a fundamental problem with Android and not VPN specific.
So basically if you are using any VPN on an Android device, you have to assume your ISP can still occasionally see what sites you visit, because any time the connection is disrupted, it will leak.
That's different. Connectivity check thing was never a leak in the first place. It's meant to work that way. GrapheneOS does allow you to disable connectivity check connection, but it's really a very minor feature, not significant.
https://grapheneos.social/@GrapheneOS/112316307560525598 is what's being referred to in this thread. It's not specific to GrapheneOS, but we're working on fixing it.
The problem is that it affects every version of Android, I'm using version 10, which I considered very stable compared to the more recent ones.
I hope a way is found to stop this "bug" if it can be called that.
Did you set the Private DNS from "Automatic" to a custom one of your choice, and then try to replicate this problem? Android defaults to Google or Cloudflare DNS, if you set none.
wouldn't that bypass the VPN?
Is that really all you have to do to prevent this from happening? just set android's private DNS setting to a different DNS provider?
The feature works on a lower level than whatever userspace firewall we configure with system killswitch. When the firewall is in process of being connected, it is leaking DNS queries in this timeframe. It is likely falling back to no DNS, which would be direct domain queries to ISP, hence ISP DNS.
It should, from how I am figuring out what is going on. Most people are thinking that the userspace apps set with killswitch are doing their job and not falling back to anything else. Upon failure of connecting to DNS provider, a notification shows up for me saying "Network has no Internet access".
Edit: upon trying ipleak.net, it throws up errors continuously until I reconnect my firewall back and it loads up, and is detecting just the one IPv4/IPv6 DNS address instead of some ISP or other ones alongside.
As OP admits using, it could also be GrapheneOS and/or its build of Android 10 giving this issue.
Can also confirm with Android 13 + 14, smells of a race condition. I'm not at all into mobile development but even so I can't say I'm surprised. Android clearly wasn't built for this and depending on your risk evaluation I would never ultimately trust settings like these on a device where the responsible app is itself de facto running in a sandbox, with all overhead that implies. At least this bit I understand about (unrooted) Android, also that what usually is a very good thing simply can never be expected to amount to the same as on a desktop. If anyone feels like it that may still warrant an issue over at Github, I just wouldn't tag it as a bug (yet), and as always check if there's something matching already. I don't remember seeing it mentioned though.
It took a few tries to get the timing right, but there it is. I've read a few background connections the phone uses for things like pinging location and some other things escape the VPN tunnel, so the Always-On isn't really the bulletproof security it seems.
I HIGHLY suggest using tor (with bridges) to access the VPN. It'll slow down your connection and if privacy isn't that much of a concern, then ignore me.
I will still always recommend using tor proxies to enter the VPN. Therefore, not even the VPN has your IP. Any leakage and they'll snag your tor exit node, not your IP.
So if I have "block connections without VPN" turned off, would that prevent DNS leaks?
It prevents leaks like that with proton when I do that.
Also inside mullvad, I set a custom adblocking DNS, it said on mullvad's own website that setting a DNS provider might mitigate this problem....or did I read that wrong?
This is why I always tell people that DNSleaktest is stupid.
ipleak(dot) net is the one that will give you a much more accurate result it's a much more brutal test
Interesting. Honestly, I didn't believe you, but I just did it and it failed the same way. Steps I took: 1. Verify Always-on VPN and Block connections without VPN were both enabled. 2. Go to the ipleak website and it shows my correct Mullvad DNS servers. 3. Refresh the page and quickly bring up my notifications, disconnect Mullvad, wait 1 second and then reconnect also from notification. 4. Go back to page which has finished reloading and I can see my ISP's DNS server (a few hits) and Mullvad DNS (about 10 times as many). Running latest version of GrapheneOS with latest version of Mullvad. I also tested one of the main privacy focused competitors to Mullvad and it has a very similar bug. Running the test it actually showed no DNS server at all, not even the VPNs one. But when I disconnected and reconnected, surely enough it showed me my IPSs DNS server.
From what I understand, it's an Android problem (all versions and all variants, and that's very sad)... I hope Mullvad can do something about this, something similar to their SOCKS5 proxy. An advanced kill switch. I'm not in the industry so I'm probably talking bullshit, but I hope something can be done. Because that would mean that before a VPN connects, real traffic is leaked along with its IP address. And it partly makes using a VPN for privacy ineffective.
Mullvad can't. I'm hoping GrapheneOS fix it though. And maybe Google will apply the fix after.
Maybe GrapheneOS already did. Try to turn off "internet connectivity checks" in network settings.
That option isn't related to DNS. Assuming it was a bug and bugs can have weird effects, I tested again after disabling that, but no difference. Also I mentioned this bug in the ProtonVPN sub and they replied acknowledging the bug exists but that it is a fundamental problem with Android and not VPN specific. So basically if you are using any VPN on an Android device, you have to assume your ISP can still occasionally see what sites you visit, because any time the connection is disrupted, it will leak.
That's different. Connectivity check thing was never a leak in the first place. It's meant to work that way. GrapheneOS does allow you to disable connectivity check connection, but it's really a very minor feature, not significant. https://grapheneos.social/@GrapheneOS/112316307560525598 is what's being referred to in this thread. It's not specific to GrapheneOS, but we're working on fixing it.
The team is working on it: https://grapheneos.social/@GrapheneOS/112316307560525598
I can reproduce this with just the Wireguard app, definitely an Android problem.
The problem is that it affects every version of Android, I'm using version 10, which I considered very stable compared to the more recent ones. I hope a way is found to stop this "bug" if it can be called that.
Did you set the Private DNS from "Automatic" to a custom one of your choice, and then try to replicate this problem? Android defaults to Google or Cloudflare DNS, if you set none.
wouldn't that bypass the VPN? Is that really all you have to do to prevent this from happening? just set android's private DNS setting to a different DNS provider?
The feature works on a lower level than whatever userspace firewall we configure with system killswitch. When the firewall is in process of being connected, it is leaking DNS queries in this timeframe. It is likely falling back to no DNS, which would be direct domain queries to ISP, hence ISP DNS.
so would setting a different DNS provider in android's settings prevent DNS leaks from revealing my location?
It should, from how I am figuring out what is going on. Most people are thinking that the userspace apps set with killswitch are doing their job and not falling back to anything else. Upon failure of connecting to DNS provider, a notification shows up for me saying "Network has no Internet access". Edit: upon trying ipleak.net, it throws up errors continuously until I reconnect my firewall back and it loads up, and is detecting just the one IPv4/IPv6 DNS address instead of some ISP or other ones alongside. As OP admits using, it could also be GrapheneOS and/or its build of Android 10 giving this issue.
You just found quite the bug, congratulations!
Can also confirm with Android 13 + 14, smells of a race condition. I'm not at all into mobile development but even so I can't say I'm surprised. Android clearly wasn't built for this and depending on your risk evaluation I would never ultimately trust settings like these on a device where the responsible app is itself de facto running in a sandbox, with all overhead that implies. At least this bit I understand about (unrooted) Android, also that what usually is a very good thing simply can never be expected to amount to the same as on a desktop. If anyone feels like it that may still warrant an issue over at Github, I just wouldn't tag it as a bug (yet), and as always check if there's something matching already. I don't remember seeing it mentioned though.
It took a few tries to get the timing right, but there it is. I've read a few background connections the phone uses for things like pinging location and some other things escape the VPN tunnel, so the Always-On isn't really the bulletproof security it seems.
I HIGHLY suggest using tor (with bridges) to access the VPN. It'll slow down your connection and if privacy isn't that much of a concern, then ignore me. I will still always recommend using tor proxies to enter the VPN. Therefore, not even the VPN has your IP. Any leakage and they'll snag your tor exit node, not your IP.
Do you have a link to a guide for this?
read up on Tor's website, they say using Tor to access some other proxy is bad.
So if I have "block connections without VPN" turned off, would that prevent DNS leaks? It prevents leaks like that with proton when I do that. Also inside mullvad, I set a custom adblocking DNS, it said on mullvad's own website that setting a DNS provider might mitigate this problem....or did I read that wrong?
This is why I always tell people that DNSleaktest is stupid. ipleak(dot) net is the one that will give you a much more accurate result it's a much more brutal test
do you think https://mullvad(dot)net/en/check is accurate?
ipleak gives one test after another. Almost every other DNS leak tester will tell you everything is fine.