Perhaps reproducible SUPL DNS leak with Mullvad VPN?

henry9018

https://github.com/GrapheneOS/os-issue-tracker/issues/6873

The "Always-on VPN" and "Block connections without VPN" settings are enabled, but disconnecting from the VPN via button in the Mullvad app still causes a non-tunneled DNS type A query for supl.grapheneos.org over the IPv6 connection (beside type A queries for ipv4.am.i.mullvad.net over IPv6 and IPv4).

Pixel 9a
Latest GrapheneOS (2025121701)
Latest Mullvad VPN app (2025.11)

I already read and followed the great documentation before reporting, so private DNS is turned off.

For me the DNS query happens only the first time of being disconnected from the VPN, for another occurrence the WiFi connection has to be reestablished. I can't say if the problem is only related to the Mullvad app or if playing around with different options caused the current state (did not perform a factory reset by now).

System settings
Developer options: never enabled
User: Owner (never another created)
Enabled: Always-on VPN
Enabled: Block connections without VPN
Off: Private DNS

Vanadium
Off: Use secure DNS (in case that would matter)

Mullvad VPN app
Disabled: Local network sharing
Enabled: DNS content blockers (thereby not using the below custom DNS server option)
Enabled: In-tunnel IPv6
Automatic: Device IP version
Disabled: Split tunneling

joinka

henry9018 System settings
Developer options: never enabled
User: Owner (never another created)
Enabled: Always-on VPN
Enabled: Block connections without VPN
Off: Private DNS

Vanadium
Off: Use secure DNS (in case that would matter)

Mullvad VPN app
Disabled: Local network sharing
Enabled: DNS content blockers (thereby not using the below custom DNS server option)
Enabled: In-tunnel IPv6
Automatic: Device IP version
Disabled: Split tunneling

Your original post might have been closed instantly because you failed to list those technical details.

If I were you, I would open a new issue and provide as much detail as possible and particularly with how the DNS query was captured.

You might take this https://github.com/GrapheneOS/os-issue-tracker/issues/5273 as some inspiration.

One final note: I do not believe this forum is the proper place for proper bug reports. At most it could serve as a way to get quick feedback from the community and if they are experiencing the same issue.

However, because this issue is more on the technical side, I do not believe you will find much value here.

henry9018

joinka Thank you for your replies!

I just provided more details in my initial GitHub issue.

joinka

On the link I sent you, you will also find a comment from the founder of GrapheneOS, from just one month ago, stating:

[...] GrapheneOS fixes all 5 known outbound Android VPN leaks not related to Private DNS. You're reading outdated information from before we fixed all of them. The only known issues are caused by having Private DNS enabled while using VPNs.

So to me it seems that, either:

you found a new leak,
you discovered a known leak,
you discovered a leak that the GrapheneOS founder does not consider to be a leak.

joinka

If you need help filing the report, you may @ me, @henry9018

I am currently not subscribed to Mullvad though.

joinka

Thank you for reporting the issue as well.