DNS resolving does not work on Android with VPN enabled

[lagner]

The problem is that a VPN provider creates a new active network connection but it leaves the DNS server property empty. We can confirm that AdGuard VPN does it. C-Ares on android get only one active connection and remain with nothing in this case.

The reply on StackOverflow suggests iterating over all available connections to find out available DNS servers. I'm not sure it's the best solution but it does the trick. It would make c-ares more reliable

[bradh352]

Interesting, so we have to pull DNS servers from all connections, not just the active one is what you're saying. @user-none since you did the android 8+ code, mind taking a look at this?

[user-none]

The StackOverflow code is using an API method that's depreciated, getAllNetworks. So this method cannot be used.

The getAllNetworks doesn't specify what order the networks will appear in the array, so there is no guarantee the DNS server provided by the VPN will be used. If a network that's not the VPN is used, DNS requests would be routed to whatever DNS server is registered for that network. We can't tell if the network belongs to the VPN or not. All we can do we can do is try the VPN servers for each network until one works.

So if you're using the VPN due to a restrictive DNS or so the requests don't go to your ISP (for example) this method could still send the requests to system(s) you don't want used. Even if routed over the VPN the DNS lookup would happen with the wrong server if they're publicly accessible.

It sounds like the VPN isn't properly registering itself as active within Android. This is what should be happening. The current use of getActiveNetwork is specifically to determine which network can have traffic routed over it. If there is no active network this should return null indicating network traffic cannot be routed, so don't try. This is backed up by the documentation for addDefaultNetworkActiveListener which states, "Start listening to reports when the system's default data network is active, meaning it is a good time to perform network traffic". If there is no active network we shouldn't even be trying to DNS as that is the system saying network traffic is not routable at this time.

I don't think a solution that can end up bypassing the VPN is proper. The behavior really sounds like the VPN provider is doing something wrong.

[lagner]

I believe you are right and the VPN provider does it wrong. Unfortunately, I can do nothing with it. Moreover, all other applications work fine. This means we have to work around it somehow.

We have overcome it in our application by patching c-ares sources. The patch sets Google public DNS in case the list is empty. It works but I will be glad if you share a better solution. And it will be awesome if it can be fixed upstream

[vvb2060]

https://developer.android.com/ndk/reference/group/networking#android_getaddrinfofornetwork