DNS leak while using automatic proxy (root) mode

[Rtizer-9]

Please answer the following questions for yourself before submitting an issue

• Filters were updated before reproducing an issue
• I checked the knowledge base and found no answer
• I checked to make sure that this issue has not already been filed

AdGuard version

4.7.23

Browser version

All Browsers

OS version

Android 14

Issue Details

Steps to reproduce:

1. Select a custom dns like adguard, cloudflare anything apart from your own isp (automatic).
2. Select "redirect to dns proxy" in "filter secure dns" in low level settings.
3. Check on Dns leak websites.

Expected Behavior

Dns leak websites should ONLY show entries from the selected dns server and no other server should be present.

Actual Behavior

We can still see various entries from our own ISP which means dns entries are still leaking to them.

Screenshots

Screenshot 1

Additional Information

No such problem is observed on VPN mode which means this is specific to automatic proxy root mode.

[Rtizer-9]

@Dondrejohnson,@i1itione,@BatobolotovBato Please confirm.

[Dondrejohnson5]

Following the steps above and using the following sites, it shows on root mode how the DNS is being leaked to T-Mobile ISP on auto root mode:

but not on VPN mode:

[Dondrejohnson5]

Anyone with any update on this issue?

[privacyguy123]

Bump.

Seeing the same on my device.

EDIT: Unsurprising snoozefest from AG ...

[Rtizer-9]

Is there any update on this? It's been 3 months since I opened the issue and this issue has been present all this while for years. It's a dns leak after all.

[iabeefe]

I'm also having DNS leaks while using AdGuard in Automatic Root Proxy Mode and this honestly makes me cringe, I thought I was safe but nope I wasn't.

@sfionov How long would it take to fix this? This issue has been open for months now.

[sfionov]

Hello! I apologize for missing this issue, it seems to be triaged to wrong repo, and DnsLibs is not actively developed now.

I believe this issue is about IPv6 DNS filtering.

Automatic root proxy mode in Adguard for Android has two different submodes: TPROXY and REDIRECT.

TPROXY mode is used on devices without iptables' nat table for IPv6.
On devices with better kernel config, REDIRECT mode is used.

In TPROXY mode it was not possible to filter IPv6 DNS properly. Blocking it, however, will break connection. That's why it is not filtered, and the snack should be shown in this case.

If you use REDIRECT mode, everything should work as expected since it was implemented in AdguardTeam/AdguardForAndroid#1354.

We'll recheck if DNS filtering in redirect mode is ok, and what happened to the snack in TPROXY mode.

[Rtizer-9]

Are there any more issues and it's not working with REDIRECT mode?