Users Say Google's VPN App Breaks the Windows DNS Settings

An anonymous reader shares a report: Google offers a VPN via its "Google One" monthly subscription plan, and while it debuted on phones, a desktop app has been available for Windows and Mac OS for over a year now. Since a lot of people pay for Google One for the cloud storage increase for their Google accounts, you might be tempted to try the VPN on a desktop, but Windows users testing out the app haven't seemed too happy lately. An open bug report on Google's GitHub for the project says the Windows app "breaks" the Windows DNS, and this has been ongoing since at least November.

A VPN would naturally route all your traffic through a secure tunnel, but you've still got to do DNS lookups somewhere. A lot of VPN services also come with a DNS service, and Google is no different. The problem is that Google's VPN app changes the Windows DNS settings of all network adapters to always use Google's DNS, whether the VPN is on or off. Even if you change them, Google's program will change them back. Most VPN apps don't work this way, and even Google's Mac VPN program doesn't work this way. The users in the thread (and the ones emailing us) expect the app, at minimum, to use the original Windows settings when the VPN is off. Since running a VPN is often about privacy and security, users want to be able to change the DNS away from Google even when the VPN is running.

Are they taking control of the whole IP stack?

[ls671]

Are they taking control of the whole IP stack? If not, it should be easy to change things back in the resolver and/or by modifying your routing. Probably simpler to use a sane VPN link provider although. Let me guess, of course google's VPN is "free" isn't it ?

Re:

[DewDude]

My router NATs any request on port 53 to my local DNS. I haven't stepped this up to attempt to redirect dns over https; but it catches a lot of stuff with hardcoded DNS.

Re:Are they taking control of the whole IP stack?

[ls671]

If google's vpn routes dns request through the vpn, your router won't get a chance to catch it and redirect it to your local dns anyway.

Re:

[JamesTRexx]

It's just that Google is slowly transforming the internet into Googlenet, and makes sure that you're trapped into it one part at the time.

It's back to the beginning of the internet with all the walled-in provider fiefdoms.

You didn't even read the summary

[RedK]

That's where Slashdot is at now. Peeps commenting without going further than the headline.

The answer to your question is in the summary : as long as the app is running, it changes the settings back, whether the VPN is connected or not.

Re:

[ls671]

DNS settings and routing settings are different things, my point was that there could be a way around it like changing the routing and redirect to your local DNS at your router like another user posted above but it is simpler to not use google's vpn or any other google software for that matter.

You didn't tell me if google's vpn is free, which I suspect it must be!

Re:

[thegarbz]

Are they taking control of the whole IP stack?

To answer that question I invite you to read TFS.

blowing the whistle: Google does this maliciously.

[Anonymous Coward]

Google is using DNS queries to harvest information on web traffic for marketing purposes. So anytime you use their DNS, you're allowing them to collect that information for marketing and resell it to other people.

By enforcing the use of Google DNS even when the VPN is not on, they are getting extra value out of you by. basically logging all of your DNS. Queries. for marketing purposes so they can track you. They are using the IP range that you're posting from as well as TCPIP headers to get things like your Mac address and use that as a way to uniquely identify you.

They are intentionally not allowing you to opt out of this DNS query stuff and treating it as a bug when in reality this is a core part of their service in order to onboard more people into their DNS service for tracking.

Thing is, you didn't opt in, so this is illegal, right??

Re:blowing the whistle: Google does this malicious

[ls671]

They are using the IP range that you're posting from as well as TCPIP headers to get things like your Mac address and use that as a way to uniquely identify you.

MAC addresses are not send in any TCPIP headers, it happens at another layer and is resolved locally by arp. Hey! But don't worry! That google software you voluntarily install on your computer can read your MAC address and send it to google in the payload of a tcpip packet, not in the header although.

Re:

[PPH]

That google software you voluntarily install on your computer

... undoubtedly has a GUID embedded in it. No need for a MAC address (and no ability to obfuscate your identity by rewriting it).

FTFY

[kalpol]

Google is using every one of their products to harvest information. They don't do anything that doesn't pull in data for them to harvest.

Re:

[Local ID10T]

I call bullshit.

Prove it. In court. Make headlines and collect your millions.

Or you are a liar..

Re:

[Anonymous Coward]

you didn't opt in, so this is illegal, right??

Did this hypothetical user know that the software does this? Well, they do now! And does this hypothetical user decide to run the software in question anyway, despite knowing what it does?

If so, they opted in.

It's pretty ridiculous to use any sort of proprietary VPN, IMHO, though. Just pick either OpenVPN (in the past) or Wireguard (in modern times), and then choose from any number of commodity servers/clients that use that protocol.

Why would anyone use Google V

Re: blowing the whistle: Google does this maliciou

[guruevi]

Neither MAC addresses nor IP addresses are unique enough for identification. They are not even unique on any large enough network.

Opinion

[ElizabethGreene]

This isn't the worst way to do it. One of my customers uses
a VPN client that intercepts DNS lookups with a filter driver. In applications and the UI it *looks like* you're talking to one DNS server, but a network trace shows no DNS traffic at all because it's being shoveled across an https connection back to their managed cloud service with the reliability of (insert colorful metaphor here about Florida drivers on Wisconsin roads in a blizzard in January).

This makes troubleshooting awful. :|

Re:

[ElizabethGreene]

No blame here. You learn on flat straight roads that go on forever and it only snows once a decade. I'm learned up in Tennessee, and trying to drive on the ice that passed for roads in Wisconsin was an experience for me too. :/

Re:

[ls671]

This makes troubleshooting awful. :|

yep dns over https is awful from a security standpoint. Although it has always been a good idea, requiring all user to use a proxy to connect to the web is even more relevant now, you can block dns over httpd there with mod_security rules or what not. All bets are off if users are able to use a vpn although so maybe force SOCK proxy usage as well with appropriate filters or only allow http.

For vpns, using vpns might actually be less secure and easier to track when you don't know what the vpn provider is doi

Why Google?

[RazorSharp]

If you are using a VPN for privacy, then it makes absolutely no sense to use Google. I do not understand how a Google VPN would provide any value to a user.

Re:

[Randseed]

Since most VPN outlets are known, it makes no sense to even use one for Netflix or whatever else because they'll block them anyway. I use the things in hotels (in my job I often spend >200 days in hotels a year) and that kind of thing because it confounds some asshole (like me) from sniffing your wireless traffic. Admittedly, with the shift towards most sites using HTTPS it's far less of an issue than it used to be. One notable exception is if you're going to be running torrents and having to dodge the m

Re:

[PPH]

Since most VPN outlets are known

Commercial VPNs. I can set up a VPN service on the PC in my condominium in Monaco. Log in to my bank there from my home here and circumvent US capital controls.

Re:

[ls671]

Exactly, I am basically always on vpn but ones I have full control over, both servers and client config. Using commercial vpns might even put you more at risk. I never used a commercial vpn even once myself.

Re:

[Kernel Kurtz]

Commercial VPNs. I can set up a VPN service on the PC in my condominium in Monaco. Log in to my bank there from my home here and circumvent US capital controls.

If that exit address belongs only to you it is not really very anonymous.

Re:

[Bert64]

Depends who you want privacy from.

Re:

[Kernel Kurtz]

How many public VPN services do you think weren't started by security agencies with three letter acronyms? I'd bet it some where less than one.

The NSA is not going to charge me with downloading a movie. And if they give my VPN logs to the MPAA they blow their "cover". So good enough for most people's use. If you are paranoid you can use Tor instead of or in addition to your VPN.

Who would use a VPN made by an advertising company

[MobyDisk]

Isn't Google the #1 company you are trying to keep your information away from? It makes no sense to use a VPN made by companies like Google or Meta!

Next you will tell me that I should use PutinVPN when I talk about Russian oligarchs and PRCVPN to discuss my thoughts on China and Taiwan.

Hardly a surprise...

[FritzTheCat1030]

Google: Do Know Evil

Breaks things...

[Bert64]

The mac client from ovpn.com does the same thing, hijacks your DNS settings even when the VPN is not connected.
This breaks a lot of things, for instance if you have internal DNS which resolves the names of your own devices (very common on a corporate network), or if you have a DNS service which implements DNS64 etc.

Its time a non- google android phone

[FudRucker]

So this is an open invite for Fair-phone and Pine-Phone or any other privacy respecting no_dataminjng smartphone company into the USAs smartphone market, please save the US consumers from these criminals that have monopilolized the US smartphone market

Google VPN about as trustworthy as a Crypto bank

[OfMiceAndMenus]

Just use Private Internet Access. Of all the (many) VPN providers I have used, they have the least bullshit and the best features/pricing.

They legitimately don't keep logs, they never associate your real information with your 'user ID' that comes out as a string of letters and numbers. They don't even limit the number of devices or amount of traffic you use because... they'd have to log who you are to do that.

I get >500Mbps on a gigabit line with every endpoint in the eastern US. Even far-afield en

Google DNS will always SPAM ads

[ConstantineXI]

And hoover up your data for sale. To the highest bidder of course!

Headline in 18months, G shuts down VPN service

[iAmWaySmarterThanYou]

I see this as a very short term issue. Google vpn service will be dead by the middle of next year anyway.

So Does Chromium

[Baloo Uriza]

And everything based on Chromium. Google seems to be outright allergic to letting the system's DNS resolver do its job. And as we just got done with experiencing at work, it turns out Chromium also likes to hang for about 30 seconds per DNS request before falling back to the system's resolver. Ever see the BBC homepage take 18 minutes to load? Prevent access to DNS other than the designated servers for the LAN and Chromium gets that bitchy.