From 82ed01b49a4cd659982916979a0c1fc00f5efd60 Mon Sep 17 00:00:00 2001 From: liamsmith827 Date: Wed, 4 Mar 2026 02:29:59 +0000 Subject: [PATCH] fixup! fix DNS leak in VPN lockdown mode when VPN is down When a VPN app is doing DNS with its own tunnel servers, protecting that traffic can result in the tunnel and tunnel DNS server IP addresses leaking. Any VPN app that is setting tunnel DNS servers that aren't reachable through the tunnel is already broken, as apps would be unable to do DNS when leak blocking is enabled. --- server/NetworkController.cpp | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/server/NetworkController.cpp b/server/NetworkController.cpp index b3648364..1b0fd5fe 100644 --- a/server/NetworkController.cpp +++ b/server/NetworkController.cpp @@ -242,8 +242,12 @@ uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) c // servers (through the default network). Otherwise, the query is guaranteed to fail. // http://b/29498052 Network *network = getNetworkLocked(*netId); - if (network && network->isVirtual() && !resolv_has_nameservers(*netId)) { - *netId = defaultNetId; + if (network && network->isVirtual()) { + if (!resolv_has_nameservers(*netId)) { + *netId = defaultNetId; + } else { + fwmark.protectedFromVpn = false; + } } } else { // If the user is subject to a VPN and the VPN provides DNS servers, use those servers @@ -253,7 +257,7 @@ uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) c VirtualNetwork* virtualNetwork = getVirtualNetworkForUserLocked(uid); if (virtualNetwork && resolv_has_nameservers(virtualNetwork->getNetId())) { *netId = virtualNetwork->getNetId(); - fwmark.explicitlySelected = true; + fwmark.protectedFromVpn = false; } else { // TODO: return an error instead of silently doing the DNS lookup on the wrong network. // http://b/27560555