android: Avoid DNS leak due to blocking TUN device without DNS servers
It looks like Android 9 incorrectly continues to use the regular DNS servers after the blocking TUN device is replaced with the actual interface. Setting DNS servers prevents that (since all traffic is blocked, which ones doesn't really matter but local/loopback addresses are rejected). Interestingly, if the VPN server later does not assign any DNS servers, there is no fallback to the non-VPN DNS servers for some reason (that's definitely not as documented). This could potentially be a problem as we don't offer an option to configure DNS servers in the VPN profile. Neither issue is seen on older Android versions (only tested on 7.1.1).
This commit is contained in:
parent
e89cfe4854
commit
84ee9577e1
|
@ -930,6 +930,9 @@ public class CharonVpnService extends VpnService implements Runnable, VpnStateSe
|
|||
mCache.addAddress("fd00::fd02:1", 128);
|
||||
mCache.addRoute("0.0.0.0", 0);
|
||||
mCache.addRoute("::", 0);
|
||||
/* set DNS servers to avoid DNS leak later */
|
||||
mBuilder.addDnsServer("8.8.8.8");
|
||||
mBuilder.addDnsServer("2001:4860:4860::8888");
|
||||
/* use blocking mode to simplify packet dropping */
|
||||
mBuilder.setBlocking(true);
|
||||
ParcelFileDescriptor fd = establishIntern();
|
||||
|
|
Loading…
Reference in New Issue