DNS leak Wireguard Android app on ChromeOS

[user6@michaelhorowitz.com]

  
I found what appears to be a bug, DNS requests outside the VPN tunnel.

This happened on a Chromebook using the Wireguard android app.
The Wireguard app was version 1.0.20220516
ChromeOS was version 105.0.5195.134  32bit

I have a screen shot of the Wireguard app, but I am new to this list and don't know if it allows attachments. If it does, I can provide the screen shot later.
  
The VPN provider was Windscribe and they use 10.255.255.4 for their internal DNS.

Below are log records from the router that the Chromebook was connected to.
Clearly, it is making DNS requests to their internal DNS server that are outside the VPN tunnel.
If they were inside the tunnel, the router would never have seen them.
The 10.1.1.5 IP is my local LAN.

Oct 10 12:20:44 Firewall: Denied CONN=vlan SRC=10.1.1.5 DST=10.255.255.4 LEN=64 TTL=63 ID=61082 DF PROTO=UDP SPT=35763 DPT=53 LEN=44
Oct 10 10:20:03 Firewall: Denied CONN=vlan SRC=10.1.1.5 DST=10.255.255.4 LEN=73 TTL=62 ID=52035 DF PROTO=UDP SPT=60940 DPT=53 LEN=53
Oct 10 10:19:26 Firewall: Denied CONN=vlan SRC=10.1.1.5 DST=10.255.255.4 LEN=71 TTL=62 ID=32736 DF PROTO=UDP SPT=53213 DPT=53 LEN=51
Oct 10 10:19:26 Firewall: Denied CONN=vlan SRC=10.1.1.5 DST=10.255.255.4 LEN=71 TTL=62 ID=32735 DF PROTO=UDP SPT=53213 DPT=53 LEN=51
Oct 10 10:19:26 Firewall: Denied CONN=vlan SRC=10.1.1.5 DST=10.255.255.4 LEN=71 TTL=63 ID=36817 DF PROTO=UDP SPT=24575 DPT=53 LEN=51
Oct 10 10:19:26 Firewall: Denied CONN=vlan SRC=10.1.1.5 DST=10.255.255.4 LEN=71 TTL=63 ID=65082 DF PROTO=UDP SPT=30781 DPT=53 LEN=51
Oct 10 10:19:26 Firewall: Denied CONN=vlan SRC=10.1.1.5 DST=10.255.255.4 LEN=71 TTL=63 ID=50536 DF PROTO=UDP SPT=32428 DPT=53 LEN=51
Oct 10 10:19:26 Firewall: Denied CONN=vlan SRC=10.1.1.5 DST=10.255.255.4 LEN=71 TTL=63 ID=2381  DF PROTO=UDP SPT=6459  DPT=53 LEN=51
Oct 10 10:19:26 Firewall: Denied CONN=vlan SRC=10.1.1.5 DST=10.255.255.4 LEN=71 TTL=63 ID=30935 DF PROTO=UDP SPT=12559 DPT=53 LEN=51
Oct 10 10:19:26 Firewall: Denied CONN=vlan SRC=10.1.1.5 DST=10.255.255.4 LEN=71 TTL=63 ID=29472 DF PROTO=UDP SPT=16243 DPT=53 LEN=51
Oct 10 10:19:26 Firewall: Denied CONN=vlan SRC=10.1.1.5 DST=10.255.255.4 LEN=71 TTL=63 ID=38528 DF PROTO=UDP SPT=54329 DPT=53 LEN=51
Oct 10 10:19:26 Firewall: Denied CONN=vlan SRC=10.1.1.5 DST=10.255.255.4 LEN=71 TTL=63 ID=53402 DF PROTO=UDP SPT=13893 DPT=53 LEN=51
Oct 10 10:19:26 Firewall: Denied CONN=vlan SRC=10.1.1.5 DST=10.255.255.4 LEN=71 TTL=63 ID=16001 DF PROTO=UDP SPT=46864 DPT=53 LEN=51
Oct 10 10:19:26 Firewall: Denied CONN=vlan SRC=10.1.1.5 DST=10.255.255.4 LEN=71 TTL=63 ID=32123 DF PROTO=UDP SPT=63327 DPT=53 LEN=51
Oct 10 10:19:26 Firewall: Denied CONN=vlan SRC=10.1.1.5 DST=10.255.255.4 LEN=71 TTL=63 ID=33030 DF PROTO=UDP SPT=56642 DPT=53 LEN=51
Oct 10 10:19:26 Firewall: Denied CONN=vlan SRC=10.1.1.5 DST=10.255.255.4 LEN=71 TTL=63 ID=38599 DF PROTO=UDP SPT=25267 DPT=53 LEN=51
Oct 10 10:19:26 Firewall: Denied CONN=vlan SRC=10.1.1.5 DST=10.255.255.4 LEN=73 TTL=62 ID=33582 DF PROTO=UDP SPT=53072 DPT=53 LEN=53

I was not looking for this, so I am not sure if these requests were during the tunnel creation or afterwards.
Pretty sure they were not during the shutdown of the tunnel.
This is not a fluke, it can be replicated.

Michael Horowitz


- - - - - End of Message - - - - -