Hi. So I'm having an issue with DNS66 in Android 12. When I go to Network & Internet settings, then VPN > DNS66: enable "Always-on VPN" and "Block connections without VPN", all internet access is blocked. DNS66 is running/has been started. As soon as I uncheck the toggle, it works again. The expected behaviour was to work in both instances.

I tested this with NordVPN as well and it works as expected. I was hoping this option would do a few things:

1. prevent ad data loading on boot
2. prevent app crashes, or terminations to go unnoticed (not sure why but sometimes ads start loading and then I notice the VPN icon is gone; I know this happens when activating another VPN then closing it, but it happens for other reasons as well)
3. possibly allow me to block internet for some apps. By enabling this feature, then selecting the app to bypass DNS66, I was hoping there might be a chance to have simple firewall behaviour without much system tax.

Anyway, it seems to be a bug as with Nord it behaves correctly. Chrome gives this error in testing: "ERR_NETWORK_ACCESS_DENIED" despite the DNS66 VPN being connected.

That's an Android issue, not a DNS66 one, if Android refuses connections not routed over the VPN. Or well, maybe it's a feature. In any case, this is the wrong place to complain about it. DNS66 creates a fake network with a few DNS servers, using a VPN-level service as an implementation detail, that's it.

I don't see how that's an Android issue. Using actual VPNs the feature works as expected. Using DNS66 specifically, the internet breaks with it on.

I understand the implementation, I just don't understand why Android is blocking apps whilst also showing the fake VPN as connected. Oh well, just thought I'd report it as it's unexpected behaviour.

The VPN only allows DNS queries on specific fake hosts it creates, so if you force all traffic over the VPN, all that works is DNS, because nothing else is routed to the internet.

That's interesting. For some reason I thought it was just doing a pass-through with the rest of the traffic whilst capturing the DNS queries. Makes sense that regular traffic is just left alone though as it's just unnecessary extra work to handle it at all.

I'm curious though, would it be overly difficult to implement pass-through behaviour? I'm not familiar with Android's network API at all but it seems as though all it would require is a bridge to the regular interface. Forgive my naïveté and thank you for the information. :)

I saw #30 had a request for specifying apps to be open/ad-filtered/blocked. I'm sure this is a lot more complicated, but I just wonder if it can be done without being a full fledged firewall -- packet inspection isn't required and you already have app detection logic for the bypass. Anyway, thanks again.