GrapheneOS · liamsmith827 · Mar 7, 2026
diff --git a/DnsProxyListener.cpp b/DnsProxyListener.cpp
@@ -940,8 +940,9 @@ void DnsProxyListener::GetAddrInfoHandler::run() {
     NetworkDnsEventReported event;
     initDnsEvent(&event, mNetContext);
     const bool isUidBlocked = isUidNetworkingBlocked(mNetContext.uid, mNetContext.dns_netid);
-    if (isUidBlocked) {
-        LOG(INFO) << "GetAddrInfoHandler::run: network access blocked";
+    bool isLockdownVpnBlockingDns = gResNetdCallbacks.check_lockdown_vpn_blocking_dns(&mNetContext);
+    if (isUidBlocked || isLockdownVpnBlockingDns) {
+        LOG(INFO) << "GetAddrInfoHandler::run: network or DNS server access blocked";
         rv = EAI_FAIL;
     } else if (startQueryLimiter(uid)) {
         const char* host = mHost.starts_with('^') ? nullptr : mHost.c_str();
@@ -1155,8 +1156,9 @@ void DnsProxyListener::ResNSendHandler::run() {
     NetworkDnsEventReported event;
     initDnsEvent(&event, mNetContext);
     const bool isUidBlocked = isUidNetworkingBlocked(mNetContext.uid, mNetContext.dns_netid);
-    if (isUidBlocked) {
-        LOG(INFO) << "ResNSendHandler::run: network access blocked";
+    bool isLockdownVpnBlockingDns = gResNetdCallbacks.check_lockdown_vpn_blocking_dns(&mNetContext);
+    if (isUidBlocked || isLockdownVpnBlockingDns) {
+        LOG(INFO) << "ResNSendHandler::run: network or DNS server access blocked";
         ansLen = -ECONNREFUSED;
     } else if (startQueryLimiter(uid)) {
         if (evaluate_domain_name(mNetContext, rr_name.c_str())) {
@@ -1379,8 +1381,9 @@ void DnsProxyListener::GetHostByNameHandler::run() {
     NetworkDnsEventReported event;
     initDnsEvent(&event, mNetContext);
     const bool isUidBlocked = isUidNetworkingBlocked(mNetContext.uid, mNetContext.dns_netid);
-    if (isUidBlocked) {
-        LOG(INFO) << "GetHostByNameHandler::run: network access blocked";
+    bool isLockdownVpnBlockingDns = gResNetdCallbacks.check_lockdown_vpn_blocking_dns(&mNetContext);
+    if (isUidBlocked || isLockdownVpnBlockingDns) {
+        LOG(INFO) << "GetHostByNameHandler::run: network or DNS server access blocked";
         rv = EAI_FAIL;
     } else if (startQueryLimiter(uid)) {
         const char* name = mName.starts_with('^') ? nullptr : mName.c_str();
@@ -1543,8 +1546,9 @@ void DnsProxyListener::GetHostByAddrHandler::run() {
     initDnsEvent(&event, mNetContext);
 
     const bool isUidBlocked = isUidNetworkingBlocked(mNetContext.uid, mNetContext.dns_netid);
-    if (isUidBlocked) {
-        LOG(INFO) << "GetHostByAddrHandler::run: network access blocked";
+    bool isLockdownVpnBlockingDns = gResNetdCallbacks.check_lockdown_vpn_blocking_dns(&mNetContext);
+    if (isUidBlocked || isLockdownVpnBlockingDns) {
+        LOG(INFO) << "GetHostByAddrHandler::run: network or DNS server access blocked";
         rv = EAI_FAIL;
     } else if (startQueryLimiter(uid)) {
         // From Android U, evaluate_domain_name() is not only for OEM customization, but also tells

diff --git a/DnsResolver.cpp b/DnsResolver.cpp
@@ -44,6 +44,7 @@ bool resolv_init(const ResolverNetdCallbacks* callbacks) {
         gResNetdCallbacks.tagSocket = callbacks->tagSocket;
         gResNetdCallbacks.evaluate_domain_name = callbacks->evaluate_domain_name;
     }
+    gResNetdCallbacks.check_lockdown_vpn_blocking_dns = callbacks->check_lockdown_vpn_blocking_dns;
     android::net::gDnsResolv = android::net::DnsResolver::getInstance();
     return android::net::gDnsResolv->start();
 }

diff --git a/include/netd_resolv/resolv.h b/include/netd_resolv/resolv.h
@@ -129,6 +129,8 @@ typedef int (*tagSocketCallback)(int sockFd, uint32_t tag, uid_t uid, pid_t pid)
 typedef bool (*evaluate_domain_name_callback)(
     const android_net_context &netcontext, const char *host);
 
+typedef bool (*check_lockdown_vpn_blocking_dns_callback)(android_net_context* netcontext);
+
 /*
  * Some functions needed by the resolver (e.g. checkCallingPermission()) live in
  * libraries with no ABI stability guarantees, such as libbinder.so.
@@ -141,6 +143,7 @@ struct ResolverNetdCallbacks {
     log_callback log;
     tagSocketCallback tagSocket;
     evaluate_domain_name_callback evaluate_domain_name;
+    check_lockdown_vpn_blocking_dns_callback check_lockdown_vpn_blocking_dns;
 };
 
 #define TAG_SYSTEM_DNS 0xFFFFFF82