DNS traffic can leak outside the VPN tunnel on Android


Will it end up like Apple and never fixed?

Not to big of a suprise as there have already been other instances of traffic being routed past the VPN on Android phones for connectivity checks.


Even on GrapheneOS the captive portal checks ignore any vpn (although I think you can turn off these checks in the settings on GOS)

4.2 Activation network interface

A captive portal check is already carried out during the boot process, provided that a network interface (WiFi, Mobile) is active. If the device is switched to flight mode in the meantime and a network interface is activated again, a captive portal check is initiated again. This means a new connection to establish connectivitycheck.grapheneos.network. What strikes this: The connections are not tunnelled by the VPN, but are guided past it. This made me taken aback, because even if the option is done with the VPN connection Verbindungen ohne VPN blockierenis active, the captive portal checks are simply tunneled past the VPN. From my point of view, this is problematic


Identified scenarios where the Android OS can leak DNS traffic:

If a VPN is active without any DNS server configured.
For a short period of time while a VPN app is re-configuring the tunnel or is being force stopped/crashes.

Our app currently does not set any DNS server in its blocking state.
We will work around the OS bug by setting a bogus DNS server for now.

We can potentially minimize the amount of times a tunnel re-configuration happens, but we currently don’t think this leak can be fully prevented.

Google Issue Tracker


FYI android notifications bypass VPN, same for captive portals. Always been the case.

I tried searching online but couldn’t find any reports, mind sharing?

1 Like

i am seeing notifications as an insecure thing more and more.

It is very easy to test this.

Create a dummy wireguard profile and connect to it, of course you won’t have access to internet. But you will still be able to receive notifications from apps that uses Firebase.

I just tested this right now on Android 14

1 Like

fking hell, i bet FAANG knew about this and didn’t tell.

Did you set the VPN to “Always-on” and “Block connections without VPN”? Also, is this on Stock Android, or an alternate OS?

If what you’re saying is accurate, that’s a new discovery, and likely not intended behavior. I’d file reports for your findings for sure if you can replicate it.

Why do you think this would’ve been intentional? I don’t quite understand the motive for Google to do this.

i didn’t thought like ever that notifications could spy on us.

If you look at the Google issue tracker that I linked Google even alludes to having a list of communications that bypass the VPN and they seemingly don’t understand why that would be an issue. Most of that tracker issue is Mullvad desperatly trying to explain why communications being exempt from the VPN is a privacy issue.

the connectivity checks are far from the only thing exempted from the VPN ; privileged apps can also bypass the VPN and this is necessary for their operation in many cases. An example is IWLAN, or tethering traffic.

The connectivity checks issue is a bit more complicated though, as they are an AOSP system component, and connectivity checks do serve a legitimate and important purpose not being routed through the VPN (i.e. Captive Portals). (Though to be clear, I do think that Google should add a toggle to disable connectivity checks like what’s present on GrapheneOS)

Notifications are different though, since not only is FCM not apart of AOSP, but I also just can’t think of any legitimate functionality they’d need that requires bypassing a VPN connection. There doesn’t seem to be any documentation around it, and I’ve never seen anyone point this out before besides @Fibonacci, so if this is actually happening, it’s new knowledge, and I think it would be beneficial to report to them to figure out if its actually intentional or not.

Overall, Google’s replies on the issue about this were very ambiguous imo, and I agree with Mullvad that Google needs to properly document what connections are made outside of the VPN and why, regardless of whether this FCM bypass is actually happening or not.

(I’ll clarify that I’m also saying this under the presumption that Fibonacci is on a stock OS, as if this was on an OS that doesn’t run privileged Play Services, then this shouldn’t be possible to happen, as long as they enabled “Always-on VPN” and “Block connectons without VPN”).

You CAN disable connectivity checks through ADB on regular android, but yeah a UI toggle would be nice for non graphene /divestos users

Configuring private DNS in Android settings plus VPN can help solve the problem?

does quad9 help?

I ask because in this article they say to configure private DNS on Android to overcome the problem in addition to VPN, what do you think?

So I made few tests about this.

This happens when I use the kernel module backend for wireguard.

As you can see in the screenshot, I’m connected to a dummy vpn, I don’t have internet access at all, but I still can receive Firebase push notifications.

This doesn’t happen when I use the userspace backend of wireguard.


Which OS is this? How can I configure the Wireguard app with the kernel module backend for wireguard? I would like to test it myself but not sure how to.