android: Avoid DNS leak due to blocking TUN device without DNS servers

It looks like Android 9 incorrectly continues to use the regular DNS
servers after the blocking TUN device is replaced with the actual
interface.  Setting DNS servers prevents that (since all traffic is
blocked, which ones doesn't really matter but local/loopback addresses
are rejected).
Interestingly, if the VPN server later does not assign any DNS servers, there
is no fallback to the non-VPN DNS servers for some reason (that's definitely
not as documented).  This could potentially be a problem as we don't
offer an option to configure DNS servers in the VPN profile.

Neither issue is seen on older Android versions (only tested on 7.1.1).

diff --git a/src/frontends/android/app/src/main/java/org/strongswan/android/logic/CharonVpnService.java b/src/frontends/android/app/src/main/java/org/strongswan/android/logic/CharonVpnService.java
index 2777202b595c11e3d70f6346bba3dc7ec833fa72..ac9ff495fab805c657c66d9abb503c861621a986 100644 (file)
--- a/src/frontends/android/app/src/main/java/org/strongswan/android/logic/CharonVpnService.java
+++ b/src/frontends/android/app/src/main/java/org/strongswan/android/logic/CharonVpnService.java
@@ -930,6 +930,9 @@ public class CharonVpnService extends VpnService implements Runnable, VpnStateSe
                        mCache.addAddress("fd00::fd02:1", 128);
                        mCache.addRoute("0.0.0.0", 0);
                        mCache.addRoute("::", 0);
+                       /* set DNS servers to avoid DNS leak later */
+                       mBuilder.addDnsServer("8.8.8.8");
+                       mBuilder.addDnsServer("2001:4860:4860::8888");
                        /* use blocking mode to simplify packet dropping */
                        mBuilder.setBlocking(true);
                        ParcelFileDescriptor fd = establishIntern();