Dns leaks P8 rdns mullvad

n3t_admin

mmobder do you also use Mullvad?

mmobder

n3t_admin
Sorry, no, another provider (tested on two different ones, actually) haven't mentioned it (as it seems like it's already out of scope of WG client) - it sounds weird that queries are falling through custom dns AND fallback dns all the way down to dhcp.

I assume, obviously, both of you have rethinkdns configured in gos/system as always-on and "block connections without vpn" is also ON.

n3t_admin

mmobder yes. I would need to test with another VPN provider (or, even my home server), to see if results are consistent or just limited to Mullvad. I can only imagine some weird bug related to a routing issue that causes these leaked DNS lookups.

Onlyfun

mmobder answering your question, I noticed split dns was disabled (I clearly remember enabling it first thing upon updating rethink app, same day I started this thread). So i reenabled it, then checked for leaks, Mullvad site gave me following response "faling to check for dns leaks" - I checked with several other sites, straight few of the top duck search results.
Dnsleaktest.com dnscheck.tools and iplocation.net were not able to give any information on my connection, only browserleaks.com returned a satisfactory result(expected servers, no leaks). Meanwhile I saw Dns in rethink is marked 'very slow', so I switched between Mullvad Extended and Mullvad Aguard couple of times, It did seems to help, then I saw my wireguard status was failing for some reason, ok I added another wireguard from different provider and both went active status. But since I wanted to clarify with mullvad i deactivated the new one, keeping just mullvad running.

Later I ran mullvad again on both browsers few time in a row no leaks. I have zero clue what is going on with dns, again my results with leaks to google cannot be justified anyhow for my case.

Sorry for such verbose description but lacking sustainable reasoning I hope details of the issue could make it easier for more knowledgeable ones to figure out.

mmobder

Onlyfun

Sometimes I catch myself mixing up reality timeline vs app settings, so mistakenly apply memory of the moments something is not working (with "wrong" settings) while to moments when settings were right and in fact all was working (with some overlap of dns cashing etc).
Once I run clean run - dns cache reset, all settings applied correctly with proper understanding, all becomes clear and working.

Again, having VPN setup properly in system (always on, killswitch) and in rethinkdns, when none of DNS-related settings (split DNS, settings->dns, fallback DNS, prevent leaks, "bypass apps from all proxies", ...) leaves possibility to drop request to "system-dhcp", I can't recall a moment when I've seen a case of rdns dropping request to my dhcp.
The only thing is that on a daily basis I have rdns configured to do not use WG DNS but my custom DoT dns. However, I have performed tests with split ON to test you're case.

ignoramous

n3t_admin It's on Android 11. Wireguard is set to "Simple/Easy", not advanced. Thus, DNS is set to "Wireguard" without any option to change it. Split DNS is enabled anyway, but makes no difference.

On Android 11 and below, Configure -> DNS - > Split DNS needs Configure -> DNS -> Advanced DNS filtering to also be turned ON. But: For Simple mode WireGuard, Split DNS is NOT needed. Like you see in the Configure -> DNS UI, WireGuard DNS must be used for ALL installed apps (ie, apps not excluded or setup to bypass proxy).

Yup, I can confirm that pretty much every request (apart from the failed ones) shows a duck emoji.

This shouldn't happen. This is the first such report we've got of this. If you're on v055o+, will you copy and share the output from the RDNSInfo (appears midway) & WireGuard sections (appears right at the bottom) from About -> Stats (the text in there is selectable)?

Onlyfun I am checking for dns leaks on mullvad site, there i get multiple google servers mixed with mullvad's.

Are you running WireGuard in Advanced mode or Simple mode?

Onlyfun By the way, don't split dns and never proxy dns settings conflict if both set to on?

Configure -> DNS -> Split DNS is to route an app's DNS query through desired Proxy (usually, some active WireGuard configuration in Advanced mode, or Orbot / SOCKS5 / HTTP proxy).
Configure -> DNS -> Never proxy DNS is to instruct Rethink to NOT proxy the user-preferred DNS upstream; to NOT use those proxies (Orbot, SOCKS5, HTTP, WireGuard in Simple mode, or "Always-on" WireGuards in Advanced mode) as a hop to connect to DNS.

Cause whatever it means, it wont explain google servers in my tests.

Logs can explain what's going on, but you'll have to share them. If you're on Rethink v055o or later, you can also inspect logs (some have had success with using popular LLMs, too) if you want from Configure -> Settings -> App logs. Make sure to switch the log level to "Very verbose" by tapping on the filter icon in the search bar. The button at the footer that goes "Email crash logs" will export the logs to a ZIP file that you can save or share.

I just cant come with an idea of what makes my dns queries to be sent to google.

You can't know for sure if DNS queries are being sent to Google, just because a website reports that your client does.

By the way, not that long ago I was getting microsoft in same dns tests, not anymore.

That's the limitation of all these websites that claim to unearth "DNS leaks". They can't tell apart actual resource access from DNS queries. In this case, what's likely is, you'd have Configure -> DNS -> Show website icon in DNS logs turned ON, which fetches favicons for the hostnames in DNS queries from NextDNS (hosted on Cloudflare/AWS/GCP) or DuckDuckGo (hosted on Microsoft Azure).

These "DNS leak" testing websites can't tell a favicon download from a DNS query. These service may also have other such limitations and/or bugs, depending on how sophisticated or rudimentary their implementation actually is.

Could you clarify what is meant by "system dns” ?

These are DNS resolvers advertised by the currently active underlying networks (ex: WiFi / Mobile).

Onlyfun Later I ran mullvad again on both browsers few time in a row no leaks. I have zero clue what is going on with dns, again my results with leaks to google cannot be justified anyhow for my case.

Onlyfun For example right now typing this text i checked - no leaks.

Do not solely rely on these websites. You can monitor the app logs from Rethink. The Configure -> Logs -> DNS since v055o shows ALL outgoing DNS queries Rethink makes (including the ones it makes for its own connections).

Onlyfun Meanwhile I saw Dns in rethink is marked 'very slow',

"Very slow" means 100ms+ is the median DNS resolution latency for the currently active DNS resolver in-use. Not that bad for DNS over VPN, if you ask me.

n3t_admin Maybe I'm doing something extremely wrong here, but given my experience with networking, I honestly doubt it.

You could consider sharing App logs output with us over email (I am mz at celzero dot com, please link to this thread in the body / subject) or analyzing them yourself Configure -> Settings -> App logs (don't forget to set the log level to "Very verbose" by tapping on the filter icon; the App logs log level will reset to "Error" after 3 hours to avoid consuming unnecessary resources; you can share these logs by tapping on the "Email crash logs" floating button shown in the footer of App logs UI).

n3t_admin

okay, after testing for around an hour, even downgrading to "q", I give up. I just can't make Rethink work the way it should. I can't even set Fallback DNS - it just goes back randomly to RDNS resolution.
I can't tell if it's just my device, a recent update or whatever - but in this state (if I was still actively using it), I would've traded it for WGTunnel or something, which works flawlessly. Maybe I'm doing something extremely wrong here, but given my experience with networking, I honestly doubt it.

n3t_admin

ignoramous okay - really didn't want to invest more time into troubleshooting this, but here we are.

Version "n" (last stable release according to Github) works perfectly fine. No leaks detected, whatsoever. I didn't test "o" and "p", however; "q" was already leaky, and I think I have a suspicion why. You could select "none" as Fallback DNS in version "n" - an option that is completely missing in recent versions. I see that for DNS it defaults to "LHR" or "FRA" in the main view. It is also showing DNS as slow in that same view, may be related.

For a brief moment, I was able to get the Mullvad DNS working, for like 10 seconds. Then it showed a "DNS error" (under the "Stop" button) and defaulted to the fallback.

ignoramous On Android 11 and below, Configure -> DNS - > Split DNS needs Configure -> DNS -> Advanced DNS filtering to also be turned ON. But: For Simple mode WireGuard, Split DNS is NOT needed. Like you see in the Configure -> DNS UI, WireGuard DNS must be used for ALL installed apps (ie, apps not excluded or setup to bypass proxy).

tried all of that in various combinations already - no luck.

ignoramous This shouldn't happen. This is the first such report we've got of this. If you're on v055o+, will you copy and share the output from the RDNSInfo (appears midway) & WireGuard sections (appears right at the bottom) from About -> Stats (the text in there is selectable)?

I'll attach it to the mail.

ignoramous You could consider sharing App logs output with us over email (I am mz at celzero dot com, please link to this thread in the body / subject) or analyzing them yourself Configure -> Settings -> App logs (don't forget to set the log level to "Very verbose" by tapping on the filter icon; the App logs log level will reset to "Error" after 3 hours to avoid consuming unnecessary resources; you can share these logs by tapping on the "Email crash logs" floating button shown in the footer of App logs UI).

I will do that, since I don't really have time to troubleshoot this myself (especially since I'm not using Android anymore).

Onlyfun

ignoramous Do not solely rely on these websites. You can monitor the app logs from Rethink

I would like to follow both of your recommendations. I mean I can see the logs, but it's not clear what's going on with me. checking a few sites as a cross-reference, it's not too bad to rely on. For example, now I have 2 of them showing me matching Google servers in a DNS leak test, one of which is a browserleaks.com that was solid with zero suspicion for years. I don't have that much of a history with Mullvad, but I think the positive cumulative feedback from the community on it is also worth something.

So for a week I enjoyed no dns leaks, but the behavior of the rethink app was not so smooth. I have no idea where to start, first of all, when I feel the connection is slow, I check to review the app. There I often see strange things with the prox, sometimes it is inactive or even inactive, but when I open the proxy page, the switches are turned on, it is further into the wireguard as well, and the wireguard itself has a status connected, even though on the previous page a second ago it was inactive, or failing or inactive.

A few apps I installed still show up in the list of apps, but with a deleted name, when I click, I get a message that there is no app, the information is missing, and it suggests that ot lrob has been turned off. Then, by clicking "block when the source is unknown" from the firewall rules page, where there are dozens of events, I get to the network log with dozens of "unknown" attempts.

Can you imagine what that could be?

I turned off "use fallback dns as bypass" (blocking when fallback dns is bypassed in the firewall, so I'm assuming the bypassed dns should be dropped now, not sent to google) and now I see google severs in the dns results again.

Please share your thoughts on all this, should I be concerned by an unknown app?

ignoramous

Onlyfun positive cumulative feedback from the community on it is also worth something

The problem is, the feedback from unreliable webservices cannot be taken as a bug. The Configure -> Logs -> DNS shows all outgoing DNS queries (per-app even if you're on Android 12+). You can observe what DNS resolvers are used when you run "leak test" on browserleaks.com etc (use the search bar to filter for just the entries you want to evaluate).

Alternatively, capture Configure -> Settings -> App logs at Very verbose log level (tap on the filter icon to change it to Very verbose; the default is Error, and the app will auto switch back to this default after _3h).

Onlyfun it is further into the wireguard as well, and the wireguard itself has a status connected, even though on the previous page a second ago it was inactive, or failing or inactive

That's a UI bug. I've been pestering the lead to fix it, but he hasn't :(

Onlyfun few apps I installed still show up in the list of apps, but with a deleted name, when I click, I get a message that there is no app, the information is missing, and it suggests that ot lrob has been turned off

In the versions after v055o until v055t, the app names in logs do get messed up on installs / reinstalls / uninstalls. We've since fixed that for v055u.

Onlyfun turned off "use fallback dns as bypass" (blocking when fallback dns is bypassed in the firewall, so I'm assuming the bypassed dns should be dropped now, not sent to google

That's not what the setting does. Use Fallback DNS as bypass instructs Rethink to use Configure -> Network -> Fallback DNS as the upstream resolver for Bypassed apps (aka Bypass DNS and Firewall or Bypass Universal) or IPs and domains (Trusted or allowed universally/globally from Configure -> Firewall -> IP and port rules).

Onlyfun

I just saw something that is clearly a bug, when all network logs were by an app without name(simply no test where the name is supposed to be) and an icon of android, with several connections active when i opened one and changed it to blocked icons turned vanadium which they should've been. So just wondering if alike bugs happen elsewhere in the app in dns resolving? That may lead to leaks? Seems that app is raw to some extent.

Onlyfun

Ran some part of log thru GPT and got response that there re issues with dns config and/or remote server. Dns leak tests now constantly show google servers. Even when i reverted the fallback dns as bypass setting. And even switching WG proxy to simple does not fix. Leaking to google and Microsoft all the way.

Now even with deactivated proxy still leaking dns, while mullvad and a couple others just fail dns leak test, not fetching anything. That never happened before since I connect behind wireguarded router.

ignoramous

Onlyfun Now even with deactivated proxy still leaking dns, while mullvad and a couple others just fail dns leak test, not fetching anything

If you could capture logs (at Very verbose level from Configure -> Settings -> App logs) as you run in to these "leaks", I can tell you what's going on. Otherwise, I I can only speculate. It is also okay if you can't, as logs of course contain sensitive information.

Onlyfun Now even with deactivated proxy still leaking dns, while mullvad and a couple others just fail dns leak test

Please make sure you're running Configure -> Proxy -> Setup WireGuard in Advanced mode with Lockdown turned ON.

As before, if the DNS requests were sent to Google and "Microsoft" (Microsoft's DNS servers aren't even pre-configured anywhere in Rethink, assuming Microsoft runs public DNS servers), you should see them in Configure -> Logs -> DNS (use the search bar to filter for the domain, browserleaks.com, whichnameserve.rs, dnsleaktest.com, dnscheck.tools, etc; you're testing leaks with).

Onlyfun

ignoramous
Thank you for clarifying my concerns!
I fixed the leaks by switching dns to System Dns, and deactivating proxy. Weird but now to be able to capture logs with dns leaking I reversed the settings and there is no leaks. Now I don't know what was triggering them. Maybe some app or other setting(not related to dns) outside of rethink, unfortunately I did not keep track of such. But I'll keep rethink setup and be checking for leaks, if it repeats I'll get the logs.

I forgot to mention the most concerns. 1st is an uknown app trying to access network. Network gets blocked by firewall. Dns queries are not.
2nd is that network permission for those uninstalled apps that are still in rethink app list is now tied to some other apps.

No trace of above problematic apps anywhere outside rethink app.

ignoramous

Onlyfun 1st is an uknown app trying to access network. Network gets blocked by firewall. Dns queries are not.

This is tricky to get right without confusing other apps. We'll see if we can ship blocking requests by Unknown apps (on Android 12+) when Configure -> Firewall -> Universal firewall rules -> Block when source app is unknown is turned ON. Please track: https://github.com/celzero/rethink-app/issues/2314

Onlyfun 2nd is that network permission for those uninstalled apps that are still in rethink app list is now tied to some other apps

This is a serious bug that sneaked in v055o+. We have since fixed it in v055u, which is due a release soon (if tests pan out).

Onlyfun

ignoramous Thanks!

Could traffic issues i mentioned be cqused by the firewall rule "Block UDP except DNS and NTP" turned on?

I figured that might be it since WireGuard uses UDP, and Mullvad just added QUIC stuff (which is HTTP/3, so also UDP), and I keep seeing a ton of HTTP/3 blocks in the log.

I've turned the UDP block off and I'm testing it now.

Maybe this is why the WG proxy status freaks out sometimes, too?

ignoramous

Onlyfun Block UDP except DNS and NTP" turned on?

I figured that might be it since WireGuard uses UDP

Yes, WireGuard does use UDP, but as of today, firewall rules are NOT applied to Rethink's own traffic. We do plan to ship the ability to block Rethink with its own firewall (this is what the Configure -> Network -> Loopback mode was introduced for).

Onlyfun but dns goes thru google a lot no mater what

Rethink supports split tunnel and running multiple WireGuard configurations (in Lockdown / Always-on modes) at once. It isn't similar to other WireGuard apps in this regard. That said, there's has been no large reports of "DNS leaks" to Google.

Besides, as explained above, "DNS leak" websites are testing for plain old DNS manipulation (by transparent DNS proxies). For example, if you turn ON Configure -> DNS -> Show website icon in DNS logs, you may start seeing Microsoft / AWS / other providers in your leak results, even if Rethink did NOT use those other providers for DNS (but used it to download website icons / favicons).

To know why your installation of Rethink is "leaking DNS", I'd need Very verbose logs (instructions shared above). It is very straightforward to determine this with logs.

Onlyfun

Quick update. 2 weeks back on Mullvad app, rock solid Zero leaks. One minor concern, battery needs to be charged sometimes, worth mentioning inapp extras such as multi hop, daita etc. consume the battery quiet a bit

With rethink dns battery seems absolutely infinite:) but dns goes thru google a lot no mater what.

« Previous Page Next Page »