Complete DNS failure after frequent switching between WiFi and Mobile networks

Does the problem still exist when you activate “block connections without vpn” in your phone settings ?
Can you please try.

I’m afraid that’s not helpful. While it does seem to improve network detection (and therefore Blockada correctly using “local DNS” on Wi-Fi) it causes the internet to be totally blocked from my phone even after DNS is working as expected!

Anyway, I wanted to write back and say that over the past 8 weeks or so I’ve been in regular contact with @Karol and we’ve gone through a lot of logs and troubleshooting situations.

It’s been painful as for most of that time I’ve got to force kill Blokada then re-start it and wait for the VPN to establish every time my phone moves in to a Wi-Fi network. I understand the logs I send him are helping diagnose the problem though.

He altered the network detection code and added the “Ping networks” option to “Settings” → “This device” but either way I still have major problems.

To reproduce this;

  • Have a modern, Android 11 device, which also has a mobile network connection
  • Ensure Blokada has the location permission
  • Have a local DNS resolver or cache on their WiFi network
  • On their WiFi network or internet router configure firewall rules like this to block all DNS from client devices to the internet. (This isn’t done to prevent Blokada from working but to prevent all devices from working-around the local DNS service as some try to go straight to 8.8.8.8 or apple DNS, for example)
  1. Allow TCP/53, UDP/53, TCP/853, TCP/443 from all internal devices to your local DNS server or DNS cache’s IP.
  2. Configure DHCP to issue your local DNS server’s IP to clients.
  3. Allow TCP/53, UDP/53, TCP/853, TCP/443 from local DNS server or DNS cache to the internet DNS of your choice (For example Cloudflare 1.1.1.1).
  4. Deny TCP/53, UDP/53, TCP/853 to the internet
  5. Deny TCP/443 to major DNS services which offer DoH. This includes 8.8.8.8, 8.8.8.4, 1.1.1.1, 1.0.0.1, 1.1.1.2, 1.0.0.2, 1.1.1.3, 1.0.0.3, 9.9.9.9, 149.112.112.112, 9.9.9.10, 149.112.112.10, 64.6.64.6, 64.6.65.6, 8.26.56.26, 8.20.247.20, 77.88.8.0/25

Then have Blokada configured (in the “Advanced” → “Networks” section)

  • All networks: Encrypt DNS, Use DNS: Cloudflare
  • Any WiFi network (on): Use DNS: Cloudflare, Prefer network DNS (Encrypt DNS and Force Libre mode should be off)
  • You can try the problem with the “This Device” “Ping networks” option on or off. This setting slightly varies what happens but neither fixes the problem.

Then turn WiFI off and on waiting for Blokada to re-establish the VPN each time. On the front page of Blokada click on the blue number of blocked ads and scroll down to the “Information” section to see Blokada has set up.

On my phone

  • WiFi > Mobile network doesn’t trigger a VPN change at the moment.
  • Mobile > WiFi triggers a VPN change every time, but rarely goes to “Network DNS” and “Encrypting DNS: No” correctly.
1 Like