mullvad blocks DNS traffic even when custom DNS is the local host

[nothingmuch]

Is it a bug?

• I know this is an issue with the app, and contacting Mullvad support is not relevant.

I have checked if others have reported this already

• I have checked the issue tracker to see if others have reported similar issues.

Current Behavior

Upon upgrading mullvad-cli 2023.6 from nixos, my local DNS recursive resolver stopped working. I did not examine what changed from the previous version, but simply add the whitelisting mark to all DNS traffic so that it is accepted using the mark rule before being explicitly dropped in the filters mullvad adds when the VPN is connected.

Expected Behavior

When configuring a custom DNS server with an address on one of the host's interfaces, mullvad should not interfere with the operations of the DNS server, it should be able to send DNS traffic through the VPN.

Since allowing DNS traffic by default is a a potential privacy leak and a local DNS server is not necessarily a recursive resolver, may only use DoH, etc, the current behavior should remain the default IMO as it is safer, so to be precise, the bug is really that there's no setting or mechanism to disable this behavior when it is appropriate to do so.

Steps to Reproduce

on NixOS, enable systemd-resolved, unbound, nftables, and mullvad-vpn. ignore DHCP DNS, setting the DNS server through resolved to 127.0.0.1 (unbound).

All DNS queries will end in SERVFAIL because unbound is unable to send DNS traffic through the wg-mullvad interface.

The following is excerpted from my machine configuration also includes the workaround I have been using since upgrading.

  networking.networkmanager = {
    enable = true;
    dns = lib.mkForce "systemd-resolved";
  };
  networking.nftables.enable = true;

  networking.useNetworkd = true;
  services.resolved.enable = true;

  systemd.network.networks."x" = {
    matchConfig.BSSID = "xx:xx:xx:xx:xx:xx";
    networkConfig.MulticastDNS = true;
    dns = [ "127.0.0.1" ];
    dhcpV4Config.UseDNS = false;
    dhcpV6Config.UseDNS = false;
  };

  services.unbound.enable = true;

  services.mullvad-vpn.enable = true;

  # workaround for hard coded dropping of port 53 traffic
  # brittle, relies on the earlier mark based accept rule
  networking.nftables.ruleset = ''
    table inet mullvadExclusions {
      chain mullvadAllowDNS {
        udp dport 53 ct mark set 0x00000f41;
        tcp dport 53 ct mark set 0x00000f41;
      }
    }
  '';

Failure Logs

No response

Operating system version

NixOS unstable (eventually will be 24.05)

Mullvad VPN app version

2023.6

Additional Information

/nix/store/yayc6wg2ndnr1qcnmq5v8r257innc36b-mullvad-vpn-2023.6/bin/mullvad version
Current version       : 2023.6
Is supported          : true
Suggested upgrade     : 2024.1
Latest stable version : 2024.1

[tjmnmk]

I'm using the command below as a workaround on ubuntu:

nft -a list chain inet mullvad output |grep "dport 53 reject" |awk '{print $NF}' |xargs -n1 nft delete rule inet mullvad output handle

mullvad dns set custom 127.0.0.1
mullvad connect
nft -a list chain inet mullvad output |grep "dport 53 reject" |awk '{print $NF}' |xargs -n1 nft delete rule inet mullvad output handle