Custom DoH addresses causes location "leak"

[jordan-ivpn]

Bug report

A customer reported an issue:

"I found this morning what I consider a serious bug that happens when using IVPN + Custom DNS (NextDNS in my case) [DNS-over-HTTPS only, not a standard IP address, like 1.1.1.1].

DESCRIPTION

Using a NextDNS as Custom DNS in IVPN iOS app.

In IVPN, when switching servers from location A to location B, the “Resolved IP” in Settings > Custom DNS for VPN… does NOT update values to the new location, and instead stick with the previous VPN server.

So, If I am currently using Miami as server and switch to Stockholm, dnsleaktest.com, STILL shows DNS servers in Miami, even when I have switched to Stockholm (or any other region)

STEPS TO REPRODUCE

1. In Settings > Custom DNS for VPN, set a NextDNS DoH server previously set, like dns.nextdns.io/abcdef; check the Resolved IP values. Make sure to Enable the custom DNS.

2. Being connected to IVPN, perform a test in dnsleaktest.com and make sure the (NextDNS) DNS servers match the VPN server location.

3. Switch to a server in a different geographic location (Let’s say Canada). Re-test in dnsleaktest.com, and check again the DNS servers:

They are still in the previous location, since the Resolved IP still have the same value (even after switching VPN servers).

EXPECTED BEHAVIOUR

When using a Custom DNS like NextDNS, Resolved IP values should refresh when switching servers; so a test in dnsleaktest.com eill show that DNS servers match the VPN server location.

NOTES

The only way to manually refresh Custom DNS for VPN Resolved IP, is to clear the dns.nextdns.io/abcdef entry, and manually add it again and tap Done button, which will refresh Resolved IP values."

[Removing the DoH address from the IVPN App's settings likely breaks the HTTPS connection that may be responsible for the location persistence.]

Describe your environment

• Device: _____
• OS name and version: _____
• IVPN app version: _____

[jurajhilje]

I understand the issue, and will here try to explain some limitations of the Custom DNS feature + propose potential improvements.

When using a domain as a host, IVPN app will resolve IPs when Custom DNS settings are saved. In the case of using NextDNS, I guess the iOS device resolves the server with the lowest latency (closest server).
On iOS, the VPN tunnel is then configured with an array of IPs as custom DNS. When IVPN app changes the gateway, Custom DNS IPs is still the same and it is not resolved again just by changing the gateway.

We can improve this in a few ways:

• Add the Resolve IPs button in the Custom DNS settings screen, to update the current VPN tunnel with the closest DNS server available
• Implement Resolve IPs and reconnect VPN prompt when changing gateways when using domain custom DNS

Note that when VPN is connected, it is required to reconnect to update custom DNS IPs, so I am against adding any logic that automatically changes VPN tunnel configuration without the user being aware of it (hence the prompt proposal).

As a workaround in the current IVPN iOS app, a user can go to Custom DNS settings, then edit Custom DNS domain, then save (the same domain). This will update the VPN tunnel configuration and prompt to reconnect VPN to apply the new configuration.

cc: @jordan-ivpn

[ghost]

@jurajhilje, I am the original reporter of this issue (we exchanged a few emails with @jordan-ivpn).

when VPN is connected, it is required to reconnect to update custom DNS IPs, so I am against adding any logic that automatically changes VPN tunnel configuration without the user being aware of it

That's ok and makes sense. My suggestion would be: check the already available Ask to reconnect VPN toggle value in Settings. If OFF, then prompting will not be necessary (the user as opted-in for automatic reconnects). Or... similar toggle. The idea is to leave up-to-the user to decide if he is ok with automatic reconnects.

[jurajhilje]

@andsyodel Thanks for the info. We will try to implement this option soon into a public beta TestFlight build and send it for feedback. I'll update here about our progress.

[jurajhilje]

@andsyodel Please contact @jordan-ivpn to get access to our TestFlight public beta. We added the "Resolve IP when VPN is connected" option in the Custom DNS settings. Feel free to post feedback here or send directly to Jordan.
Thanks!

[ghost]

@andsyodel Please contact @jordan-ivpn to get access to our TestFlight public beta. We added the "Resolve IP when VPN is connected" option in the Custom DNS settings. Feel free to post feedback here or send directly to Jordan. Thanks!

@jurajhilje I already contacted Jordan. I sent a private email with my discoveries. Unfortunately, I had to swich back to the PROD version of the app after my initial tests (do not have much more time to help with QAing)

My findings:

• The current PROD version of IVPN does leak the previous DNS server (before switching location), but at least the DNS server does resolve URLs.
• The beta version I have tried, not even resolved the DNS servers. Actually, there was an instance on which the Resolved IP box was empty (not even a single IP address).
• Switching back and forth between AirPlane mode, WiFi > LTE, LTE > WiFi etc, did not help.
• The second I used Antitracker feature (cancelling the Custom DNS settings), it started to resolve right away. The second I disabled Antitracker (effectively using the Custom DNS, which was Enabled); it stopped right away resolving. I could see how the IP addresses changed when switching locations (in the main screen), but at the same time, if I went into the Custom DNS panel, the resolved IPs appeared to be the same before switching (as If I have not changed location).

I have sent Jordan a private email with Wireguard logs attached and a few details. Hope that helps.

[jurajhilje]

@andsyodel Thanks for the feedback, we'll check out reported issues and probably push a new TestFlight build.