State of the DNS and other VPN outbound leaks

words

I was following the situation with the multicast, DNS leaks outside the VPN tunnel for a while but didn't grasp the full picture. What issues are resolved and perist currently?

I'd love to get some explanations on 0edb781:

// Unfortunately we have to allow system apps to use this service even when under a lockdown // VPN, otherwise would break things.

// Prevent unicast leaks. Can only do this for regular apps as core system and system apps rely // on this being allowed. // TODO: Review IP_UNICAST_IF and IP_PKTINFO. // TODO: Review PermissionMonitor#hasRestrictedNetworkPermission to see if this covers all of // the system uids that need to SO_BINDTODEVICE. These uids do not have LOCKDOWN_VPN_MATCH.

I remember reading the code and coming to the conclusion it isn't safe to use IPv6 for now, but i literally don't remember how i came up to this conclusion.

GrapheneOS

words All known outbound leaks are fixed on GrapheneOS when Private DNS is set to Off.

words Connectivity checks are not and have never been a leak. DNS leaks are fixed by GrapheneOS, as are all 4 other kinds of known outbound leaks not tied to Private DNS. Private DNS is a special case and needs more than leak blocking, it shouldn't be global but rather per-profile.

words

Bumping the question..

words

The fact that Mullvad suggests those leaks aren't fixed anywhere despite being in contact with GrapheneOS is also concerning

The known leaks include, but may not be limited to, the following type of traffic:

Any traffic sent by the current VPN app (e.g API requests).
DNS lookups performed directly with the C function getaddrinfo.
Private DNS traffic (e.g DNS-over-TLS).
OS connectivity checks.
Multiple reports with variants of this behaviour have surfaced over the years, however the problems still persist. Mullvad is not aware of any mitigation to these leaks.

words

GrapheneOS All known outbound leaks are fixed on GrapheneOS when Private DNS is set to Off.

Love to hear it. Great work.

user2025

Not sure im right,im using GOS and Rethink on user(s) profile and on Private Space profile,both instancew independent of each other.

Ive aetup a Proxy Wireguard with my paid ProtonVPN settings, on different countries and servers, based on the needed resource to access ,hide,test.
With the above config ON,tasted many times on many sites and no DNS leaks seen or reported.