I think the problem is Reddit user (who Mullvad cites) not knowing that the Private DNS feature in AOSP/Android defaults to Google or Cloudflare DNS, and that you need to set a custom DNS of your choice to prevent this.
AdGuard provides a whole list of DNS providers to pick from. Pick a hostname from DNS-over-tls row for any provider, remove the “tls://” part and enter the rest in Private DNS custom option.
If you do this, you’ll be using the DNS you assign instead of using the VPN’s DNS, as intended. That will make you stand out from the rest of the same VPN users, effectively affecting privacy.
Either stand out or let your ISP or Google/Cloudflare or VPN read all your domain visit queries. It is better to not let ISP or Big Tech decipher your internet history for obvious reasons.
I am not sure what off does. Might need to recheck Android documentation. But I remember the custom one definitely uses whatever you set, and nothing else. No Google/Cloudflare DNS.
For example, if you like AdGuard, you can just enter dns.adguard.com there.
Automatic on Android always falls back to Google or Cloudflare DNS in the same way systemd DNS resolving works. Or if that does not work, ISP is being sent whatever domain queries user is requesting directly. I am going off from connecting the dots between what I know about Private DNS from Android documentation, and what the Reddit poster did not mention who Mullvad cited in their blog post. I am assuming that the time gap between Android’s killswitch turning off and on with always-on settings is giving time for DNS queries to go through (detected by Wireshark), and since the default DNS provider is almost never set by people on Android, this may be happening.
I think the problem is Reddit user (who Mullvad cites) not knowing that the Private DNS feature in AOSP/Android defaults to Google or Cloudflare DNS, and that you need to set a custom DNS of your choice to prevent this.
AdGuard provides a whole list of DNS providers to pick from. Pick a hostname from DNS-over-tls row for any provider, remove the “tls://” part and enter the rest in Private DNS custom option.
https://adguard-dns.io/kb/general/dns-providers/
If you do this, you’ll be using the DNS you assign instead of using the VPN’s DNS, as intended. That will make you stand out from the rest of the same VPN users, effectively affecting privacy.
Either stand out or let your ISP or Google/Cloudflare or VPN read all your domain visit queries. It is better to not let ISP or Big Tech decipher your internet history for obvious reasons.
One DoT provider you could choose is… Mullvad: https://mullvad.net/en/help/dns-over-https-and-dns-over-tls
I like AdGuard, but any decent provider is going to be fine except for Google/Cloudflare or western Big Tech ones.
mine gives me three choices. Off, Automatic, and Private DNS (type in your own). should i set mine to off then? will that prevent the leak?
I am not sure what off does. Might need to recheck Android documentation. But I remember the custom one definitely uses whatever you set, and nothing else. No Google/Cloudflare DNS.
For example, if you like AdGuard, you can just enter
dns.adguard.com
there.so automatic will allow the leak?
Automatic on Android always falls back to Google or Cloudflare DNS in the same way systemd DNS resolving works. Or if that does not work, ISP is being sent whatever domain queries user is requesting directly. I am going off from connecting the dots between what I know about Private DNS from Android documentation, and what the Reddit poster did not mention who Mullvad cited in their blog post. I am assuming that the time gap between Android’s killswitch turning off and on with always-on settings is giving time for DNS queries to go through (detected by Wireshark), and since the default DNS provider is almost never set by people on Android, this may be happening.