With the GrapheneOS DNS VPN change since 2024080200, I believe—causes all DNS queries to be routed through VPN connection isn't necessarily a desirable behavior.
For us that use the Private DNS settings in Android to route DNS queries to a trusted DNS provider for maybe logging and filtering it renders this useless. However DoH in the app like chromium based browsers can be used but some browsers like Firefox and other apps that can’t be set can now no longer be monitored.
For VPN apps that allow for app exclusion like Calyx VPN and RiseUp VPN – the excluded apps can no longer do DNS queries.
VPN apps that do whole system tunneling – that’s to say not allow inclusion or exclusion of certain apps of the user’s choosing, I’m still seeing DNS queries being passed to my preferred DNS provider per Private DNS settings in Android. I’ve tested this with ProtonVPN so it seems that the “leak” is still there.
I prefer the original DNS behavior until a better solution arrives and I’m seeing inconsistencies in VPN app behavior. There are apps that use the VPN routing as a somewhat of a kludge for analyzing traffic or firewall use so changing VPN behavior in this way may have unseen consequences. More thorough testing should be done in this area.
I would stress that maybe one should use the Private DNS setting in Android to perhaps prevent leaking DNS queries to your internet provider, that is of course if Android honors every query as per this setting.