Private DNS should be avoided with secondary user VPNs

FOSSOS

I was testing VPN connections with several user profiles active and found a DNS leak that's easy to reproduce. It's similar to the old DNS leak that has been fixed for the main profile but doesn't seem to be fixed system wide when multiple profiles are active.

Previously @GrapheneOS stated that the DNS leaking to other servers outside of the VPN DNS had been fixed but this doesn't always seem to be the case.

I set my default DNS servers to Cloudflare and had multiple profiles active and tried a couple VPN apps (PIA app mostly). When I'm in the owner profile and connect to a server I see no DNS leaks. When I let the owner profile stay active and move to a different profile connected to a VPN in a different country and it disconnects and reconnects I will see both the VPN DNS and a Cloudflare Anycast DNS close to the location of the VPN server running in the main profile.

I had Always-on VPN and Block All Connections enabled in all tested profiles.

I tested this by opening a browser and going to ipleak.net, then connecting and disconnecting the VPN several times while it did several rounds of 300 DNS tests.

Main profile:

Connected to server A.
IPleak results when connected: VPN A DNS
iPleak results when disconnected: Failure to connect
IPleak results when reconnecting or connecting: VPN A DNS or Failure to connect.
Result: As expected the VPN doesn't leak.

Secondary Profile:

Connected to VPN server B
IPleak results when connected: VPN B DNS
IPleak results when disconnected: Failure to connect
IPleak results when reconnect or connecting: VPN B DNS and Cloudflare Anycast DNS in the same location of VPN A.
Results: The VPN leaks to Cloudflare Anycast DNS which uses VPN A's location to connect to the closest Anycast server.

This is unfortunate and still compromises the VPN users privacy because it leaks DNS traffic in a secondary profile while the main profile is active and connected to a VPN and the secondary profile is reconnecting.

argante

FOSSOS This is probably related to this thread.

GrapheneOS

FOSSOS You haven't said how your Private DNS configuration is set up. It should be disabled.

FOSSOS

argante it could be but that are mDNS going from the local to a domain while casting. What I'm reporting is a direct query to the configured DNS from the static IP settings

FOSSOS

GrapheneOS it's disabled. I only have the DNS set to static instead of DHCP. No Private DNS is used.

FOSSOS

GrapheneOS I double checked my settings and it was set to default, which for some reason is automatic. I never changed the Private DNS settings because I know it shouldn't be used when a VPN is enabled. I'm not sure if this is what causes it but if it does, shouldn't Private DNS Automatic know to not use it by default or change it to Disabled if it detects a VPN?
If this is what causes the leak and users install their VPN and leave the settings to default (like most do) it will cause leaks for them without knowing it.

It would make more sense that Private DNS (Automatic) would have to be enabled again if a user that wants to use both. If it causes leaks in other profiles the majority of VPN users wouldn't want this to happen.

I never noticed a leak before on my main profile with private DNS set to automatic (default and not configured) and I regularly check by disconnecting and reconnecting. This is the first time I test it on a secondary profile and this is the first time I have ever seen a leak after the VPN leak protection updates from GrapheneOS.

forum257457

Are you configuring the default DNS through the Private DNS settings under Settings > Network & internet?

It's already known that Private DNS interacts badly with VPN usage in secondary profiles. The recommendation is to disable Private DNS if you use a VPN in any profile. See the replies below from @GrapheneOS.

https://discuss.grapheneos.org/d/17109-private-dns-automatic-or-off-if-a-vpn-is-used/4

https://discuss.grapheneos.org/d/17109-private-dns-automatic-or-off-if-a-vpn-is-used/7

FOSSOS

forum257457 I forgot to mention in my test results that private DNS is not used. The DNS is set to cloudflare through static IP configuration. Private DNS is disabled.

forum257457

FOSSOS

The default setting for Private DNS is Automatic. Users should manually set it to Off when using a VPN. The documentation could more prominently mention it, but it does cover this in a couple FAQs:

From https://grapheneos.org/faq#custom-dns:

If you're using a VPN, you should consider using the standard DNS service provided by the VPN service to avoid standing out from other users.

From https://grapheneos.org/faq#vpn-support:

If you're using a VPN, we recommended against having a Private DNS server configured.

It would be better if the documentation mentioned that VPN users should reconfigure Private DNS from Automatic to Off.

Can you configure Private DNS to be Off and retry your testing?

FOSSOS

forum257457 I retried testing and have not yet noticed a leak on a secondary profile but I will continue testing and report if I find it leaking again.

I had Private DNS set to the default since I started using GrapheneOS and never noticed a leak from it in my main user profile, which I check for leaks every day and have never seen one show up before, that's why it is weird to me that it does leak because of that on a secondary profile.

I do think it's counterintuitive that Private DNS is left to Automatic if a VPN is detected by the OS. There are only a few users that want to configure a Private DNS while the VPN is on. It would make more sense for Automatic to disable itself when a VPN is detected so that it has to be enabled again. That will prevent leaks from users that don't know this causes a problem. I know you can't use a Private DNS and a VPN together but even for me the default Automatic setting caused problems since I relied on the OS preventing leaks by default if a VPN is detected.