vpn-libraries
vpn-libraries copied to clipboard
google
[BUG] Google VPN BREAKING Windows 11 DNS assignment settings.
This VPN BREAKS DNS functionality in windows 11, it locks the system DNS to google DNS servers under the network settings.
- Settings -> Network & Internet -> Ethernet Leave this open, and set on Automatic DHCP.
- Connect to Google VPN, it will change your DNS setting to manual google DNS servers.
- Disconnect, and keep an eye on the settings window we left opened, it will stay stuck to the google DNS settings, not the automatic DHCP, breaking ANY dns functionality of your computer.
Even after a restart, closing the google VPN app, or disconnecting the DNS settings are stuck on a manual assignment. This is unacceptable. In order to use the google one vpn, one needs to manually go into network settings and toggle back on the auto assignment.
This is a serious issue, it happens on all windows 11 computers ive tested. MAJOR ISSUE. Please address when an ETA to fix this will be done.
Why is this a huge issue? If you use TLS or Encrypted DNS the google 8.8.8.8 will break this configuration. I use encrypted dns with ECH, with google none of this is available putting my security at risk when the vpn is off. If you have custom dns for work, firewalls, or family safety/filtering - again the vpn will break it. This was causing a huge headache for me but i discovered the google VPN has a huge bug with not reseting DNS back into the state it was before turning on.
Best solution is to go into network settings on windows 11 and set it back to what you used on the IPV4/V6 previously. Note this doesnt do this on mac, only windows.
@google-admin @google-ospo-team @googlebot @anefabo @smhendrickson Please let us know when a fix is assigned for this.
@joetimmy @ceedveed
I honesty don't understand why a VPN client who isn't supposed to be logging anything according to their documentation, has a few functions (AddDnsServersToInterface and AddDnsToAllInterfaces) to purposely alter your DNS to their public use entries - which the public DNS documentation says it's kept for 1-2 days and can still be retrieved from government entities (which infers logging beyond the time stated to correlate your IP and requests to identify you).
The documentation directly contradicts itself and this is unnecessary change to our systems by Google that needs to be reported higher than a bug on github. Google doesn't get to double-dip here and also hijack all of our DNS requests. This is especially annoying since I use DNS over HTTPS from another company so I can use special curated lists to filter/block traffic for all of my devices - which this bypasses until reset. I also assume this "bug" will not be actioned because this is purposely coded to behave this way - the functions are labeled "Add" there is no "remove" or "reset" function I've found. Best case, they remove those two functions entirely.
That said, until this is addressed, I've set a simple PowerShell script that runs this on startup:
Get-DnsClientServerAddress | Set-DnsClientServerAddress -ResetServerAddresses
Run it elevated as a delayed scheduled task so that when Windows starts and Google One VPN starts, it has a minute and then runs the command to reset your network IPv4 and IPv6 adapters to default. Because make no mistake, every single interface alias is altered by Google here.
google is ignoring this issue and will not address this massive security problem.
@google-admin @google-ospo-team @googlebot @anefabo @smhendrickson
Please address this.
This needs to be escalated, someone please forward this to some google developers who can escalate the problem.
I experienced this and found this issue thread. Not sure how to escalate this but sounds like something I'd read on a news article tbh like this seems serious
Hey folks, thank you for reporting this behaviour.
To protect users privacy, the Google One VPN deliberately sets DNS to use Google's DNS servers. This prevents a nefarious DNS server (that might be set by DHCP) compromising your privacy. Visit https://developers.google.com/speed/public-dns/privacy to learn about the limited logging performed by Google DNS.
We think this is a good default for most users. However, we do recognize that some users might want to have their own DNS, or have the DNS revert when VPN disconnects. We'll consider adding this to a future release of the app.
@ryanl Thank you for your response, but the way in which this is done seems contrary to the purported goal of user privacy.
This makes sense to do while Google One is active, but this program has absolutely no business changing all present NICs to a separate DNS on the startup of my computer while the program is not set to "Launch app after computer starts". This recent change interfered with my computer's ability to access a network implementing a private DNS filter. This has broken my trust and I will not be reinstalling this program until this is remedied
I uninstalled Google VPN, reverted the network adapter to use the router provided DNS server.... it still refused to use anything other than 8.8.8.8. I finally figured out that, despite my network adapter being configured to "Obtain DNS server addresses automatically", I still had to go into advanced settings and remove 8.8.8.8 in the DNS tab and finally restart the network adapter to get my computer to use my local unbound DNS server.
This is unacceptable and has absolutely nothing to do with security and everything to do with data harvesting by Google.
If I uninstall Google VPN, this behavior should be reverted to the behavior prior to installing google VPN. In my opinion, google conveniently leaving 8.8.8.8 behind in a place that would be difficult for the normal user to find puts this firmly into the "malware for the purposes of data harvesting" category.
I uninstalled Google VPN, reverted the network adapter to use the router provided DNS server.... it still refused to use anything other than 8.8.8.8...
On Win 10 I did a 'Network Reset' and remade my connections and that worked. Looked to me like the Google changes applied to every connection!!
We think this is a good default for most users.
I get the idea, but this should be configurable. Also keep in mind this will break local domain names usually resolved by the router, like the router's configuration page.
Silently breaking this will keep less tech savvy users stranded with no more access to their router settings, potentially even making them believe they've been hacked or their hardware is broken.
In addition, this still leaves the possibility of a malicious party rerouting traffic destined for Google DNS, essentially mitigating the whole idea.
This is crazy for Google to determine who my DNS provider is. I lost all my nextDNS filtering and had to manually recover every NIC connection. Win 10 here. While it may be one thing to switch to Google during the VPN session - making manual DNS settings on my computer is not appreciated.
@joetimmy @ceedveed I honesty don't understand why a VPN client who isn't supposed to be logging anything according to their documentation, has a few functions (
AddDnsServersToInterfaceandAddDnsToAllInterfaces) to purposely alter your DNS to their public use entries - which the public DNS documentation says it's kept for 1-2 days and can still be retrieved from government entities (which infers logging beyond the time stated to correlate your IP and requests to identify you).The documentation directly contradicts itself and this is unnecessary change to our systems by Google that needs to be reported higher than a bug on github. Google doesn't get to double-dip here and also hijack all of our DNS requests. This is especially annoying since I use DNS over HTTPS from another company so I can use special curated lists to filter/block traffic for all of my devices - which this bypasses until reset. I also assume this "bug" will not be actioned because this is purposely coded to behave this way - the functions are labeled "Add" there is no "remove" or "reset" function I've found. Best case, they remove those two functions entirely.
That said, until this is addressed, I've set a simple PowerShell script that runs this on startup:
Get-DnsClientServerAddress | Set-DnsClientServerAddress -ResetServerAddressesRun it elevated as a delayed scheduled task so that when Windows starts and Google One VPN starts, it has a minute and then runs the command to reset your network IPv4 and IPv6 adapters to default. Because make no mistake, every single interface alias is altered by Google here.
Hello,
I have to take an online test for a management certification. Onevue the compatibility system of the online test fails every time after several research I understood that it was due to google vpn who changed the dns. Even uninstalling google vpn and manually setting new dns addresses doesn't fix the problem. I've seen that there might be a solution with powershell script and the suggested script. I have to tell you that I am neither a programmer nor an advanced user. Can you explain step by step and in detail how to activate the powershell script and save it as a .ps1 or ps1xml file and what options to activate in the task scheduler so that the task runs at each startup. I'm sorry, but as I said, I'm not a programmer and I don't know anything about powershell scripting or using the task scheduler. I hope this will fix the problem, I've been working on it for 3 weeks and I haven't managed to fix it yet.
@samitunisia Double check you've properly edited/reset the DNS for both IPv4 as well as IPv6.
Also you can use the quoted PowerShell "script" on the command line. Just run "PowerShell" (or "Windows PowerShell"; it doesn't matter) and then insert the command as quoted like a regular shell command. No need to create a script here.
@ryanl
Hey folks, thank you for reporting this behaviour.
To protect users privacy, the Google One VPN deliberately sets DNS to use Google's DNS servers. This prevents a nefarious DNS server (that might be set by DHCP) compromising your privacy. Visit https://developers.google.com/speed/public-dns/privacy to learn about the limited logging performed by Google DNS.
We think this is a good default for most users. However, we do recognize that some users might want to have their own DNS, or have the DNS revert when VPN disconnects. We'll consider adding this to a future release of the app.
Just look how VyprVPN does it. Changes for the session and on exit replaces, as was, before starting the VPN. This way I revert to my local DNS servers and internal work URLs are not broken.
When fixed - Please notify back here in this thread so I'll know I can install Google VPN again.
New victim here! My primary dns server is always set to 8.8.8.8 which prevents windows domain functions in my company. Disconnecting vpn, uninstalling, rebooting. DHCP, static ip, none of them works. This is a program WITH MAJOR FLAW.
Have to do direct registry editing to remove 8.8.8.8 and restore Windows domain functions.
@tochichiang
Have to do direct registry editing to remove 8.8.8.8 and restore Windows domain functions.
You should be able to find in the Network properties and in both the IPv4 and IPv6 advance sections (the DNS tab) where they are listed and remove - maybe easier than editing registry..
@tochichiang
Have to do direct registry editing to remove 8.8.8.8 and restore Windows domain functions.
You should be able to find in the Network properties and in both the IPv4 and IPv6 advance sections (the DNS tab) where they are listed and remove - maybe easier than editing registry..
I tried that and it didn't work. Whatever I assign there, 8.8.8.8 is always inserted on top of them.
I tried that and it didn't work. Whatever I assign there, 8.8.8.8 is always inserted on top of them.
I just went to Network & Internet settings and did a Network reset and then set up the connection(s) again.
created an account just to comment. THANK YOU FOR SOLVING THIS. been looking forever for a solution. GOOGLE VPN messed up my PC settings -_-
It sucks, still not be solved :( Google please spend your time optimising products instead of advertising!
This needs to be a priority. Changing the user's DNS servers without notice and not undoing the change after the VPN is disabled is a major security concern in what is advertised as a security product.
@ryanl do you have an update on this for us, many including myself are waiting for some update on progress with this. The issue has been open since Nov 2023.
So I just noticed "VPN by Google One" in my Start Menu as "Recently installed", i.e. updated. I haven't used it for weeks (it doesn't start with Windows).
I check my IPv4 connection settings and it only lists "192.168.2.100" (my Pi-Hole) – great!
But just to be sure I look at the current connection's details and it lists "192.168.2.100, 8.8.8.8" as nameservers… WTF? Had to manually wipe "8.8.8.8" from the Windows registry to make it go away…
And just yesterday I was wondering why I'm suddenly getting YouTube ads on videos embedded in Discord (I am a Premium subscriber, but can't log in within Discord, obviously).
I understand why with a VPN google would want to make sure you are switching over to DNSSEC especially when you are probably not wanting your local ISP to be the DNS provider which is the easier vector to snoop on your traffic. And anyone on here would likely know how to setup a local DNS provider that would use DNSSec, but your average user isn't going to know how to do that. Also your average user is going to pretty stuck on figuring out how a local network resource might have vanished from their network when they turn their VPN off. Especially if the local DNS is being coordianted through their gateway rather than using a broadcast service. Google do better.
Here is how:
- By default change the DNS over to the VPN (and you better be using DNSSEC) makes sense for an average user, but give us the ability to override it in the setting if we don't want our DNS changed.
- You should change it back to the user's previous settings either default or the previous manual settings.
This DNS reset issue poses significant challenges even for "average" users who might not typically adjust these settings. Specifically, it disrupts the functionality of some captive portals, rendering them unable to load their login pages. This problem was notably encountered with the WiFi at a Hyatt hotel. Despite my decent proficiency, it took me a considerable amount of time to identify the source of the issue. Users lacking knowledge of network settings will find themselves at a loss, unsure of how to proceed. Moreover, the likelihood that technical support, if available, could diagnose such issues remotely is slim. Consequently, this issue could significantly undermine the value of the Google One VPN, especially for those with less technical expertise.
