Insecure DNS Setup

OWASP category: MASVS-NETWORK: Network Communication

Overview

Insecure DNS configurations can occur when developers customize an application's DNS transport behavior, bypass device defaults, or when a user specifies a private DNS server in Android 9 and later. Deviation from known good DNS configurations can leave users vulnerable to attacks like DNS Spoofing or DNS cache poisoning, allowing attackers to redirect user traffic to malicious sites.

Impact

If a malicious network attacker is able to spoof DNS, they can discreetly redirect the user to a website they control, without arousing the user's suspicion. This malicious website could, for example, phish the user for personally identifiable information, cause a denial of service for the user, or redirect the user to websites without notification.

Risk: Vulnerable DNS Transport Security

Custom DNS configurations may allow apps to bypass Android's built-in transport security for DNS in Android 9 and higher.

Mitigations

Use the Android OS to handle DNS traffic

Allow the Android OS to handle DNS. Since SDK level 28, Android has added security to DNS transport through DNS over TLS, and then DNS over HTTP/3 in SDK level 30.

Use SDK level >=28

Update SDK level to at least 28. It should be noted that this mitigation requires communication with well-known and secure public DNS servers such as can be found here.

Resources