Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: Android stealthily forcing google dns  (Read 10494 times)

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Android stealthily forcing google dns
« on: March 31, 2016, 10:25:14 AM »

So today I discovered my phone has some kind of persistent dns cache surviving reboots, so had to investigate and whilst investigating discovered the dns server 8.8.4.4 is been used ignoring my dhcp settings which use dns server 192.168.1.253.

This is very sly as most apps will report the lan dns server in use, and it seems the caching and redirect is been handled via the ndc resolver.

Even with a iptables forced redirect google dns is still been used which widened my eyes more.

Any thoughts on those with experience of android dns queries?

This is on kitkat, but its also happening on another phone I just tested on which is running android 5.1.
Logged

plexy

  • Reg Member
  • ***
  • Posts: 115
Re: Android stealthily forcing google dns
« Reply #1 on: April 06, 2016, 10:29:03 AM »

Id be very surprised if this were the case. At some point ill MITM my Nexus and see what its up to and feed back.

(btw I do know that when a VPN is in use it definitely isnt using google DNS as i can access internal hostnames)


Logged
--
SSE 80/20
Sky 40/10
Zen 80/20
Bonded: 200/50 (in progress)

Hardware:Hg612/HH5/Tg589vac/Linux SBC router

Al1264

  • Member
  • **
  • Posts: 70
Re: Android stealthily forcing google dns
« Reply #2 on: April 06, 2016, 10:41:49 AM »

I could be 'some way off the mark' but it does occur to me that a device that's designed to roam/switch beteen different networks/network types (wi-fi/mobile) may find it beneficial to reference a 'fixed' dns source while hopping between wi-fi and mobile networks.  Could that be a reasonable / simple / non-malicious explanation?

Just from technical interest, how easy is it to find out what DNS my (Android) mobile phone is using?
Logged
Plusnet - FTTC - AVM Fritz!Box 7490

plexy

  • Reg Member
  • ***
  • Posts: 115
Re: Android stealthily forcing google dns
« Reply #3 on: April 06, 2016, 12:24:16 PM »

Good point - Chrys have you tried it with the smart switch feature turned off and see if it does same?

Al, generally its in the network settings section but Chrys is saying that gets overridden. im assuming hes seen this on his router via packet capture or perhaps his device is rooted and hes checking that way. The way I would check would be either on the router (if openwrt) or doing a MITM attack (a hacking technique which isnt hard to pull off, but must only ever be used on your own equipment or with permission of equipment owners to ensure no laws are broken)
Logged
--
SSE 80/20
Sky 40/10
Zen 80/20
Bonded: 200/50 (in progress)

Hardware:Hg612/HH5/Tg589vac/Linux SBC router

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: Android stealthily forcing google dns
« Reply #4 on: April 06, 2016, 05:58:19 PM »

I have been very busy but have moved this forward today.

It seems its only overriding specifically for the nslookup command, so possibly the nslookup binary on my android phone is hardcoded to use google's dns servers.

Browsers etc. are actually honouring the android settings.

So for those with terminal access on their phone's do a lookup via nslookup and report back what nameserver it uses please.
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: Android stealthily forcing google dns
« Reply #5 on: April 06, 2016, 06:00:58 PM »

I could be 'some way off the mark' but it does occur to me that a device that's designed to roam/switch beteen different networks/network types (wi-fi/mobile) may find it beneficial to reference a 'fixed' dns source while hopping between wi-fi and mobile networks.  Could that be a reasonable / simple / non-malicious explanation?

Just from technical interest, how easy is it to find out what DNS my (Android) mobile phone is using?

You can snoop router traffic, but here is more simpler ways.

1 - browse to a dns leak test site in a browser on the phone, to see what dns server it reports. (note this only shows what the browser is doing tho)
2 - install something like network toolbox and run dns tests on it.
3 - nslookup reports what dns server it uses, and in my case on both phones its always reporting google dns 8.8.4.4
Logged

ejs

  • Kitizen
  • ****
  • Posts: 2078
Re: Android stealthily forcing google dns
« Reply #6 on: April 06, 2016, 07:35:59 PM »

Wait a minute - a DNS leak test website won't report a LAN IP address, will it? It will always report an external IP address. For example, my phone is using my router (192.168.0.1) as it's DNS server, a website on the Internet won't see any LAN IP addresses, and will see whichever DNS servers my router forwards the DNS queries to.
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: Android stealthily forcing google dns
« Reply #7 on: April 07, 2016, 03:30:09 PM »

it should report the external dns caching server been used yes.

So if it reported a internal ip that would be strange.

In my case, my phone uses my router as its resolver so 192.168.1.253.  The router sends uncached queries to its upstream server I configured, which is a personal DNSCrypt, DNSSEC dual stacked, no logging, no neg caching server I run myself for personal use at a UK datacentre, and its that UK ip that gets reported by dns leak tests, and as such I know if the configuration is working properly.  I also have the dnscrypto.org .fr DNS server as a upstream DNS server, but its only a backup if my personal server goes down.

I am considering moving my DNS server out of the UK tho, as I wonder how much power the UK authority has in been able to get the transit provider at my UK location to sniff my dns traffic, the DNScrypt will encrypt between my router and the server which stops sky sniffing, but not from the server to other DNS servers.  The problem been that DNScrypt is a hack, its not a standard, so there is no encryption protocol for server to server queries.

Nslookup I would expect to report 192.168.1.253 as the resolver as it only knows the immediate resolver its directly querying.
« Last Edit: April 07, 2016, 03:35:30 PM by Chrysalis »
Logged
 

anything