-
Notifications
You must be signed in to change notification settings - Fork 447
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ISSUE] AFWall+ 3.6 and OpenVPN Connect fails Android 11+ Private DNS #1355
Comments
Additionally, due to AFWall+ 3.6 design, initial packets may be delayed by up to 15 s due to temporary blocking of vpn and dns while AFWall+ is working. Because AFWall+ also blocks your apps, it’s difficult to benefit from the instant DNS The following updated script enhances that:
The resulting iptables:
|
This works on all my Androids The requirements on AFWall+ to avoid |
Describe the bug
When on Android 11+ using OpenVPN Connect with Private DNS set to other than Off or Automatic and AFWall+ is enabled, DNS fails to function until the VPN is disconnected
— root cause is a race timing issue
— works for some fast local VPNs, but not for those slower public ones
Symptoms:
—a The exclamation mark superimposed on the statusbar LTE or Wi-Fi icon should go away within 1 second, it stays put
—b Within 11 seconds: pling and notification:
Network has no internet access
Private DNS server cannot be accessed
—c the Private DNS menu selection has text below: Couldn’t connect
—d Android apps fails with ERR_NAME_NOT_RESOLVED
GETAROUND:
Ensure that unencrypted DNS is always allowed for root inside the vpn tunnel:
Use a custom script ./data/dnsgoogle
(should work for all DNS providers)
Write file /data/dnsgoogle:
ls -l /data/dnsgoogle
-rwxr-xr-x 1 u0_a252 u0_a252 764 Sep 19 16:14 /data/dnsgoogle
— executable by root
root user access must be allowed in AFWall+ for any interface to be used
Firewall Logs
N/A
Smartphone (please complete the following information):
Pixel 3 Android 12 October 5, 2021 SP1A.210812.016.C2
Additional context
Likely, AFWall+ is busy rebuilding its configuration and while that is ongoing traffic is blocked. DNS resolution of Private DNS server like dns.google is not retried
For Android settings Private DNS: Off or Automatic, regular unencrypted DNS is used on troubles. Only the option with a set provider is full privacy
The most optimal DNS is:
DNS-over-HTTP/3 DoH3 udp port 443 packet-loss resilient, Android 11+
DoQ
—
DNS-over-TLS (DoT) incurs overhead for every DNS request: tcp port 853
https://security.googleblog.com/2022/07/dns-over-http3-in-android.html
There are others:
DNS-over-TLS (DoT) tcp port 853
DoQ udp port 8853 packet-loss resilient
DNS-over-HTTPS (DoH) tcp port 443
DNS-over-HTTP/3 DoH3 udp port 443 packet-loss resilient, Android 11+
https://help.nextdns.io/t/x2hmvas/what-is-dns-over-tls-dot-dns-over-quic-doq-and-dns-over-https-doh-doh3
The text was updated successfully, but these errors were encountered: