OWASP category: MASVS-NETWORK: Network Communication
Overview
Insecure DNS configurations can occur when developers customize an application's DNS transport behavior, bypass device defaults, or when a user specifies a private DNS server in Android 9 and later. Deviation from known good DNS configurations can leave users vulnerable to attacks like DNS Spoofing or DNS cache poisoning, allowing attackers to redirect user traffic to malicious sites.
Impact
If a malicious network attacker is able to spoof DNS, they can discreetly redirect the user to a website they control, without arousing the user's suspicion. This malicious website could, for example, phish the user for personally identifiable information, cause a denial of service for the user, or redirect the user to websites without notification.
Risk: Vulnerable DNS Transport Security
Custom DNS configurations may allow apps to bypass Android's built-in transport security for DNS in Android 9 and higher.
Mitigations
Use the Android OS to handle DNS traffic
Allow the Android OS to handle DNS. Since SDK level 28, Android has added security to DNS transport through DNS over TLS, and then DNS over HTTP/3 in SDK level 30.
Use SDK level >=28
Update SDK level to at least 28. It should be noted that this mitigation requires communication with well-known and secure public DNS servers such as can be found here.
Resources
- Resolve DNS queries
- Java reference for DnsResolver Class
- Android Security Blog post about DNS-over-HTTP/3
- Overview of secure transport for DNS
- Android Developer Blog post about DNS over TLS
