Proxy DNS Leak

[Bok0335]

On a fresh install of Fedora 40, using Mullvad VPN with its respective browser in the Wayland mode (I'm not sure how useful this information is, but I'm including it just to be safe), using a proxy results in a DNS leak of the proxy, which shows the DNS of the VPN. So, for example, if my VPN is set to Germany and I use a proxy on the Netherlands, a DNS leak test shows the DNS is located in Germany. I'm aware that some countries in Mullvad will have their DNS on another location, but this example is from a location that has its own DNS, which indicates a leak. Not only that, but the location where the VPN says it is located matches perfectly with the leak.

No modifications were made to the VPN, and the only change in the browser was setting the secure DNS to be off, as recommended by Mullvad.

[Bok0435]

Hello, OP here. I lost my account due to an issue with 2FA.
I have an update regarding the issue. If I enable secure DNS on the browser, the tests will show that the DNS leaked has been replaced by a DNS on a fixed location (UK), which works as a mitigation because the DNS of the VPN does not appear. However, this does not solve the issue nor respect the requirement to be turned off when using Mullvad VPN.

One thing I noticed is that the IP is being defaulted to IPv6, which is not enabled on Fedora or the VPN. I'm not sure if this is part of the problem, but I asked a friend to test it on Windows with Proton VPN (that was the only VPN they had available), and it defaults to IPv4. Because of that, I tried enabling IPv6 to see if it changes anything, but it didn't. This makes me wonder if this is an actual feature, and I'm misinterpreting it as a bug related to the proxy DNS leak. However, so far, I have no more leads on how to fix it.

[ruihildt]

Thanks for the additional details, I'll be looking into it in the next weeks.

[ruihildt]

https://www.reddit.com/r/mullvadvpn/comments/1dh8x5s/mullvad_browser_proxy_dns_leak_kind_of/

[ghost]

I wanted to add further information as I perceive this as a high priority issue.

The problem
Default installation of Mullvad Browser (MB) with a proxy server selected (and of course, DNS proxy enabled) forwards MB's DNS request to both your system's DNS server and MB itself. The response from your system DNS server isn't used or respected though (i.e. regardless of the response from your system DNS resolver, MB will use it's own proxy server's DNS response.)

The request to your system's DNS resolver uses VPN connection, not proxy. Hence this reveals your true VPN connection. For example: if you are connected to a Amsterdam server in VPN and use Berlin proxy in MB, the DNS leak tests will show both servers resolving your same domains.

(Tested on Linux using a local DNS server as well as remote NextDNS with logging enabled. I can't tell you about how mac or windows behaves.)

Fixes

• DNS leak doesn't occur when you create and use a second browser profile, even with the same exact settings. The default profile still causes DNS leak however. This is a quick and easy solution you could use until the bug is fixed.
• DNS leak doesn't occur when you remove the proxy addon from MB and use Firefox's proxy setting to configure Mullvad SOCKS5 server (10.64.0.1:1080) and (obviously) enable DNS proxy.

[ruihildt]

After reviewing the different scenarios, the Mullvad VPN DNS server will leak alongside the proxy DNS server when uBlock Origin Uncloak canonical name options is enabled.
This uBO option is enabled by default in Mullvad Browser, which is why most users will observe it.

This is something which we were aware of and we warn about it in our help section and on the important notes of last release.

I created another issue to look into adding a recommendation to check uBO settings when the proxy feature is being used the first time. Ideally, it would be nice if the behavior was fixed directly by Firefox.

Additionally, we have also found the Mullvad VPN server is erroneously not listed in our check page in that scenario. This happened since we moved to make the connection check server redundant.
A fix is incoming in the next few weeks when the relevant colleagues are back from vacation.

[ruihildt]

For completeness, I'll note that Firefox 129 currently creates a similar proxy DNS leak even without uBlock Origin.

I have opened a bug report and hopefully it'll get fixed quickly.

[ruihildt]

Additionally, we have also found the Mullvad VPN server is erroneously not listed in our check page in that scenario. This happened since we moved to make the connection check server redundant.
A fix is incoming in the next few weeks when the relevant colleagues are back from vacation.

We have reverted to the single connection check server for the time being, the DNS check is now accurate again.

[git70]

I accidentally found a similar problem and a workaround:
ACK-J/Port_Authority#7 (comment)

I haven't tested it myself, but it may be useful or point you in the direction of a solution...

[ruihildt]

The only leak which is considered a bug and a regression is the following one: https://bugzilla.mozilla.org/show_bug.cgi?id=1910593
It has now been confirmed by Firefox team and we'll have to wait until they fix it.

[cohesive-flight]

This bug has been resolved and released in version 132.

[ruihildt]

I will close this issue as fixed.

If you still encounter issue with DNS leak, please open a new issue, and list steps to reproduce.

[git70]

I'm a bit confused, has the issue been fixed in FF ESR as well? (currently 128.3.1)
When I visit https://browserleaks.com/ip I still see two DNS (one from the system VPN, the other from the extension).

[ruihildt]

Firefox ESR is not supposed to be susceptible to this DNS leak, since it affected Firefox 129-131.

If you still have a leak (which could well be the case), please open a new issue with the following information:

• OS / version
• Browser / version
• Extension version
• Steps to reproduce

Ideally, you would test this in a clean profile, where only the extension is installed.