DNS traffic can leak outside the VPN tunnel on Android

Conclusions and recommendations

DNS leaks may have serious privacy implications for users, and can be used to derive users' approximate location or find out what websites and services a user uses.

These finding also shows once again that “Block connections without VPN” does not live up to its name (or documentation) and that it has multiple flaws. Apps may still leak DNS traffic during the conditions mentioned above, and as previously reported it still leaks connection check traffic.

Depending on your threat model this might mean that you should avoid using Android altogether for anything sensitive, or employ other mitigations to prevent the leaks. We aim to partially mitigate these problems in our app, so make sure to keep the app up-to-date.