IPv6 DNS requests leak

[notDavid]

Is it a bug?

• I know this is an issue with the app, and contacting Mullvad support is not relevant.

I have checked if others have reported this already

• I have checked the issue tracker to see if others have reported similar issues.

Current Behavior

Hi there,

so lately i sometimes have blank pages in Firefox and, no websites will load. I'm not getting any error, just a blank page.
After some poking around when the issue occurs, i observed:

1. Firefox is only resolving an ipv6 ip-address of the website (not ipv4). See screenshot 1.
2. The MullvadVPN Desktop app blocks ipv6 by default
3. In my Firefox config, network.trr.mode is set to 0, which means off (see here. So Firefox is not using DNS-over-HTTPS functionality
4. Disabling ipv6 in Firefox, "fixes" the issue. See screenshot 2 and 3

Firefox: 124.0.2 (64-bit)

Expected Behavior

.

Steps to Reproduce

Screenshot 1:

(= step 1 above)

Screenshot 2:

(= step 4 above)

Screenshot 3:

(= step 4 above)

Failure Logs

No response

Operating system version

macOS 14.4.1

Mullvad VPN app version

2024.1

Additional Information

No response

[notDavid]

...and i'm also seeing the same issue in Alfred workflows for example. So the issue is not limited to Firefox.

[notDavid]

So it seems that a 'DNS lookup leak' is happening (Local Network Sharing is allowed.)
I see DNS lookups to an ipv6 address of my Internet Provider...

Screenshot LittleSnitch:

MullvadVPN Settings:

[notDavid]

...and i'm also getting a correct answer. I think Mullvad DNS servers don't return ipv6 addresses, so somehow it's indeed reaching my ISP DNS servers.

<-- Firefox DNS lookup answer

"Process" : {
  "path" : "\/Applications\/Firefox.app",
  "signing ID" : "org.mozilla.firefox",
  "pid" : 2072,
  "name" : "firefox"
},  
"Packet" : {
  "Opcode" : "Standard",
  "QR" : "Reply",
  "Questions" : [
    {
      "Question Name" : "kagi.com",
      "Question Class" : "IN",
      "Question Type" : "AAAA "
    }
  ],
  "Answers" : [
    {
      "Name" : "kagi.com",
      "Type" : "??",
      "Host Address" : "2600:1901:0:daa1::",
      "Class" : "IN"
    }
  ],
  "RA" : "Recursion available",
  "Rcode" : "No error",
  "RD" : "Recursion desired",
  "XID" : 8375,
  "TC" : "Non-Truncated",
  "AA" : "Non-Authoritative"
}
}

So, i assume the issue is pfctl only blocking DNS lookups via ipv4, and not via ipv6 ?:

pass out quick on utun4 inet proto tcp from any to 100.64.0.31 port = 53 flags S/SA keep state
pass out quick on utun4 inet proto udp from any to 100.64.0.31 port = 53 no state
block return out quick proto tcp from any to any port = 53
block return out quick proto udp from any to any port = 53

[dlon]

Hi,

We're unable to reproduce any leaks using IPv6. Is it possible that you have anchors/rules in PF that are unrelated to Mullvad?

One thing you might try is check whether sudo pfctl -F states temporarily plugs the leak (while connected).

[notDavid]

@dlon Thank you for your reply; I think you might be right, my conclusion was wrong.

1. So it seems these apps are getting the IPv6 address from Mullvad DNS servers (i still have to setup some mechanism to 100% catch all possible DNS leaks, if even possible with DoH these days...)

2. The question is, why are these apps suddenly only trying to connect via IPv6, and no longer via IPv4 ? Because i can still successfully ping and connect to the same domains via ping and other tools. Also, i have now experienced the exact same issue on another Macbook of a different person in the same house.

3. Currently my workaround is to enable IPv6 support in the MullvadVPN Desktop app. This fixes the issue for all apps (Firefox, Obsidian, HomeBrew, etc.) However, the MullvadVPN app GUI says:

   "We do not recommend enabling IPv6 unless you know you need it."

   Why is it not recommended to enable IPv6 ?

Thank you!