GOS not using local DNS server advertised by DHCP

finnblue8

I never found a solution to this. This behavior is still happening on my Pixel 8 running the latest stable 2025100300.

The only solution I have that works is to keep my WireGuard VPN connected 24/7 so the VPN connection settings override what is being advertised by DHCP. That has added noticeable latency to my network connection, but at least I get to use my Pi-hole instance.

n3t_admin

finnblue8 just for troubleshooting sake: could you change your lease from DHCP to static under WiFi -> <your-ssid>? Then manually enter the same details (IP address, subnet mask, gateway and DNS), to check if this is a DHCP issue?

finnblue8

n3t_admin

I changed from DHCP to Static and entered the same details. Same behavior as before. If I run a DNS leak test from dnsleaktest.com or any leak testing service, it picks up my ISP provided servers.

OpenWRT 24.10.3. The IPV6 WAN is disabled in OpenWRT to eliminate the possibility of a DNS leak by the phone using IPV6.

A custom DHCP option parameter is set on the LAN interface (DHCP Server -> Advanced Settings -> DHCP-Options) to advertise my local server as a DNS server for all devices on LAN (6, server IP). This works for literally every other device I own except Pixel on GOS.

GOS 2025100300 has Private DNS turned off. If I run any DNS leak test from both Brave and Vanadium, it uses ISP-provided servers - interestingly on further inspection, servers that do not appear in the Wifi menu anywhere.

I can tell even without a DNS leak test that GOS is not using the proper local DNS server because I have zero DNS queries in Pi-hole logs.

n3t_admin

finnblue8 that's interesting. What if you change the DNS to something else like Quad9 (9.9.9.9) in the "static" settings and rerun the dnsleak test? In theory it shouldn't accept even that and still run over your ISP's resolvers.

Just trying to figure out if Pihole is the culprit or if the way to Pihole is.

GrapheneOS

finnblue8 DHCP is not the only way to provide DNS configuration to devices, SLAAC+RDNSS support also exists. Android and GrapheneOS do not have another way to obtain DNS configuration than from the router through DHCP or SLAAC+RDNSS. There's no other way to seek out any other DNS configuration. Your network is doing something unexpected, not GrapheneOS.

GrapheneOS

finnblue8 GrapheneOS doesn't have a way of getting DNS servers from the network other than fetching them via DHCP or IPv6 SLAAC+RDNSS. This is a configuration issue with your network. It's not a DNS leak, it's a network configuration problem.

GrapheneOS

AltruisticMidget Private DNS being set to Automatic only tries to upgrade to DNS-over-TLS for the network-provided or statically configured servers. It does not seek out another server.

528491

n3t_admin
I've got a raspberry pi with dnsmasq as my internal DNS server.

/etc/dnsmasq.conf:

local-service
listen-address=127.0.0.1
listen-address=10.11.0.53

/etc/hosts:

127.0.0.1	localhost localhost.localdomain
::1		localhost localhost.localdomain ipv6-localhost ipv6-loopback

10.11.0.10	immich.internal

# special IPv6 addresses
fe00::0         ipv6-localnet
ff00::0         ipv6-mcastprefix
ff02::1         ipv6-allnodes
ff02::2         ipv6-allrouters
ff02::3         ipv6-allhosts

My Router is a FritzBox 7583 and functions as a DHCP server in my network.
It is configured to advertise my DNS server IP 10.11.0.53 via DHCP.
On my desktop machine (address from DHCP):

cat /etc/resolv.conf 
# Generated by NetworkManager
search fritz.box
nameserver 10.11.0.53
nameserver fd65:16fd:...
nameserver 2a02:560:...

Works as expected:

dig immich.internal

; <<>> DiG 9.20.13 <<>> immich.internal
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53573
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;immich.internal.		IN	A

;; ANSWER SECTION:
immich.internal.	0	IN	A	10.11.0.10

;; Query time: 1 msec
;; SERVER: 10.11.0.53#53(10.11.0.53) (UDP)
;; WHEN: Fri Oct 10 14:35:22 CEST 2025
;; MSG SIZE  rcvd: 60

Opening https://immich.internal/ in firefox with enabled DNS over HTTPS as expected prompts me with a choice if I want to use unencrypted DNS for this site and opens my immich instance after agreeing.

On my Pixel 9 Pro XL, I get the same DNS server addresses like on my desktop machine via DHCP, listed in my WIFIs network settings but in different order:

2a02:560:... (doesn't have my .internal records)
fd65:16fd:... (doesn't have my .internal records)
10.11.0.53 (does have my .internal records)

I would expect GOS to try different DNS servers while a name can't be resolved until it reaches my 10.11.0.53 which would successfully resolve my immich.internal name. But maybe this assumption is all wrong?

n3t_admin

528491 this indicates that your phone is indeed trying to resolve IPv6 addresses and this is probably where the leak comes from. Is Pihole set to resolve IPv6 addresses? If not, you should enable that, because I assume right now it is falling back to your ISP servers, that are on your router. Keep in mind that IPv6 resolution will work independently of your IPv6 WAN settings.

n3t_admin

I can't edit my first response anymore, but if you're not using IPv6 anyway, you should disable router advertisements in your FritzBox, or enable it in Pihole.

I don't have a FritzBox myself, but on this support page from PiHole is a pretty detailed overview of the settings, that should lead you to the correct setting: https://docs.pi-hole.net/routers/fritzbox-de/

What your /etc/resolv.conf should (almost )look like:

cat /etc/resolv.conf

nameserver 192.168.1.1
search .

528491

n3t_admin
Thank you for pointing me to the right direction!
I checked my internal IPv6 settings on the FritzBox and it indeed didn't advertise my DNS server via DHCPv6.
I gave my DNS server the static link-local address fe80::53 and set my FritzBoxes DHCPv6 to advertise it.

It all works now. :)

I don't use pi-hole, just plain dnsmasq, but I will read your linked article, thanks!

n3t_admin

528491 so is the leak gone? That's good to hear. Maybe that is the same issue OP has (it honestly sounds like it).

GrapheneOS

528491 Android does not support DHCPv6 but rather uses SLAAC+RDNSS. DHPCv6 is optional for IPv6 and largely not useful for end user devices. Google is refusing to implement it mainly because they want to force ISPs to give people at least a /64. RDNSS is what provides IPv6 DNS configuration for Android. DHPCv6 is a very obscure thing with barely any use case in normal setups. People mainly use it because they're aware of DHCP for IPv4 and think it's the same situation for IPv6. There are complex setups where DHCPv6 can be useful but not any typical home network.

528491

n3t_admin

I'm sorry, I should have been more specific:
I was only referring to the problem of GOS not using my local DNS server despite it being advertised via DHCPv4 and visible in the WIFIs settings.

n3t_admin

528491 ah, right, you weren't even the one who checked for leaks. My bad, I'm being a dumbass who can't read apparently :P
Thanks for reporting back!

528491

n3t_admin
Haha, happens to all of us, no problem :)
And thanks again for your help!

528491

GrapheneOS
Thanks for elaborating. My Router (FritzBox) in fact does include RDNSS information "in Router Advertisements according to (RFC 5006)" if configured accordingly. Additionally, it serves as a DHCPv6 but only to assign DNS information in my configuration. I just forgot to set the correct IPv6 address in the first place. This address is advertised via RDNSS / Router Advertisment and DHCPv6 so Android gets to know it.