v055u: Intermittent Original IPv6 IP Leaks in NextDNS Logs with WireGuard - Always-On/Lockdown, and System DNS on Android 16

[L-3-m-o-n]

This is a summary of all the errors (other than already mentioned issues) I encountered while using Rethink on latest version and a fix for these is much appreciated .

Description:
Device/OS: OnePlus device running Oxygen OS 16 (first stable build, based on Android 16). Non-rooted. Using mobile data only (ISP forces IPv4+IPv6; forcing IPv4-only APN breaks internet entirely). No WiFi testing possible.

Setup Overview:

Using Rethink as always-on VPN with lockdown mode enabled in Rethink settings and in Android Settings > VPN > Block connections without VPN + Always ON are enabled .
Proxy: WireGuard configs from Proton VPN :
Tested in both cases :
i> Original .conf files [Only supporting ipv4 , rethink set to ipv4 only]
ii> As per https://gist.github.com/mikaeldui/12127c91ccece42ea375c9f42d94aa8a
Enabled IPv6 manually but default settings did not work for me , So used fd54:20a4:d33b:b10c:0:2:0:2 as per one of the comments + Rethink set to ipv4+ipv6 mode .
(IPv4+IPv6 dual-stack in this case; AllowedIPs in both cases= 0.0.0.0/0, ::/0 confirmed optimal)
In wireguard : Tried changing dns to next dns + also tested with default and as as well as per https://gist.github.com/mikaeldui/12127c91ccece42ea375c9f42d94aa8a
So , All cases were tested and with same issue .

Tested with both single proxy ON or with Multiple endpoints : Mainly NL,NO,JP free servers but IP leak tests (ipleak.net, dnsleaktest.com) always show system DNS (NextDNS) as provider, which is desired even though when testing ipv4+ipv6 , Dns was set to Proton in wireguard .conf files .
Rethink's DNS: Forwarded to System DNS (NextDNS). Type: System DNS. Fallback DNS: Off (but set to System DNS despite being off; previously on, but Rethink fell back often which it still does but DNS tests still showed NextDNS (desired) ).
Advanced DNS Settings (all on, per update; IPv6 works with them enabled but rarely fails (Still an issue) ):
Never Proxy DNS: On - previously off to avoid limiting to IPv4 [occasionally causes IPv6 proxy failures (e.g., connections drop to IPv4-only), so please investigate/fix.], Also same result when Off .
Prevent DNS Leaks: On (Same as never proxy dns) , Also same result when off .
Use Fallback DNS as Bypass: On (Also same) , Same result when Off .
All Other settings in DNS section : (except blocklists) : ON .

Firewall Settings (Universal):
Block When Source App is Unknown: On , Rest : Off .
Block UDP Except DNS and NTP: Temporarily enabled for testing, but leaks persisted so disabled.
Block When DNS is Bypassed: Off (enabling blocks all internet; always been the case, even when proxies were IPv4-only) - Hoping for a fix here ...
Block Port 80 (Insecure HTTP Traffic): Temporarily enabled for testing, but leaks persisted so disabled.

Network Settings :
Enable Network Visibility: Off.
Stall on Network Loss: On.
Do Not Route Private IPs (Experimental): Off .
Use All Available Networks (Experimental): On.
Always Metered: Off.
Meter Mobile Networks: Off.
Loopback (Experimental): On.
Choose Fallback DNS: Set to System DNS (but fallback off overall).
Connection Change Policy: Auto.
Proxy > Loopback Proxy for Forwarder Apps: Off.
Do Not Randomize WireGuard Listen Port: On [Turning ON - Breaks internet for me - Hoping for a fix here]
TCP/IP: Shorter TCP Keep Alive: On. Endpoint-Independent Mapping: Off. Idle Timeout: 20m. Bandwidth Booster: Off. Choose IP Version: IPv4 & IPv6 , Tested with ipv4 only too on ipv4 proxies (same result) .

Issue Details:

Original IPv6 (non-WireGuard) leaks in NextDNS logs once every 15-40 mins at random, despite no DNS leak (tests show NextDNS as provider). Leaks mostly on telemetry domains , google domains (90% blocked by NextDNS blocklists): gstatic.com, improving.duckduckgo.com, favicons for NextDNS, Rethink's telemetry, youtubei.googleapis.com, other Google domains (even non telemetry essentials such as youtube or www.google.com) , Rarely on app calls (e.g., Instagram Google APIs, YouTube when not blocked).
Persists across setups: Previously IPv4-only WireGuard (Rethink set to IPv4 only; same leaks. Now dual-stack IPv4+IPv6 still leaks .

Partial Workaround: Use IPv6-only WireGuard for apps like YouTube (closes some leak surface - now in this case YouTube domains show only wireguard's ipv6), but Instagram/etc. fail without IPv4 (app and other limitations) , Only workaround is forcing ipv6 proxies wherever possible .

Proxy Inconsistencies: Endpoints sometimes fail or drop speed after heavy usage (despite Proton's no-limits claim).
No IPv4 leaks - only IPv6. Happens on mobile data; can't disable IPv6 systemwide for already mentioned reasons .

Steps to Reproduce:

Set up as above.
Use apps like YouTube/Instagram for 15-40 mins.
Check NextDNS logs (my.nextdns.io) for original IPv6 on telemetry domains.
Run IP/DNS leak tests - DNS shows NextDNS, but IP leaks in logs sometimes especially on ipv4 only proxies or when ipv6 isn't forced .

Expected: No original IP exposures with always-on/lockdown. Actual: Intermittent IPv6 leaks on specific domains/calls.

Additional details :
1)Many times though using system dns (NextDNS) , It many times uses fallback (also set to system) despite it is turned off in settings .
2)Concerns over IP , Since this has shown that Rethink's always on + lockdown mode could still leak . While switching between proxies , Please make sure this does not leaks IP .

[ignoramous]

Rethink's telemetry

Rethink doesn't have telemetry. What do you mean?

favicons

Yeah, Rethink will download favicons if you have turned ON Configure -> DNS -> Show website icon in DNS logs.

Note that, the connections that Rethink itself makes (which you can see in Configure -> Logs -> Rethink as you have Configure -> Network -> Loopback turned ON) aren't routed through WireGuard and/or user-set DNS from within Rethink (in this case, NextDNS). Rethink's DNS queries are sent to either Configure -> Network -> Fallback DNS or over DNS-over-HTTPS to Quad9 / Cloudflare endpoints (hard-coded in a few places in the app for anti-censorship reasons).

ipv4only.arpa

That's a DNS64/NAT64 query sent by Rethink.

• See: Avoid ipv4only.arpa DNS requests on network change #2379

Do Not Randomize WireGuard Listen Port: On [Turning ON - Breaks internet for me - Hoping for a fix here]

Do you spot any WireGuard related errors when you turn Configure -> Network -> Do not randomize WireGuard Listen port in the Configure -> Settings -> App logs UI (you can use the search bar to look for "wg" or "wg"+wireguard-id (ex: wg1, wg3, etc), which is shown in Configure -> Proxy -> Setup WireGuard next to the names of the WireGuard configurations).

Proxy Inconsistencies: Endpoints sometimes fail or drop speed after heavy usage (despite Proton's no-limits claim).

Are you on a paid plan? If so, if you're using multiple Proton WireGuards (or are using Rethink's WireGuard multi-hop feature) at the same time, Proton's anti-abuse systems may not like it.

Block When DNS is Bypassed: Off (enabling blocks all internet; always been the case, even when proxies were IPv4-only) - Hoping for a fix here ...

It shouldn't, unless you're using Android's Private DNS, or using apps that may directly connect to IPs (like WhatsApp and Instagram) or apps that do their own DNS resolution (like Telegram). You can "Bypass Universal" these apps from *Configure -> Apps -> (search for the app name) -> (tap on the entry) -> (look for "Bypass Universal" under "Firewall rules for this app" heading).

---

You may also want to turn OFF all settings marked "experimental", too.

[ignoramous]

Tested with both single proxy ON or with Multiple endpoints : Mainly NL,NO,JP free servers but IP leak tests (ipleak.net, dnsleaktest.com) always show system DNS (NextDNS) as provider, which is desired even though when testing ipv4+ipv6 , Dns was set to Proton in wireguard .conf files

You'll have to turn ON Configure -> DNS -> Split DNS for Rethink to use WireGuard's DNS for apps selected to be routed through it.

Use Fallback DNS as Bypass: On (Also same) , Same result when Off

Turning this setting ON will ask Rethink to use Configure -> DNS -> Fallback DNS as the resolver for every allowlisted/whitelisted domain or apps that have been setup to "Bypass DNS & Firewall".

Concerns over IP , Since this has shown that Rethink's always on + lockdown mode could still leak

Do you mean, Always-on and Lockdown mode in Configure -> Proxy -> Setup WireGuard -> Advanced or in Android's VPN settings?

If the latter, make sure to turn ON Lockdown for all Advanced mode WireGuards.

[L-3-m-o-n]

Rethink doesn't have telemetry. What do you mean?

I originally flagged ipv4only.arpa because NextDNS blocklists automatically blocked it and I mistook it for telemetry. Sorry about the confusion .

Yeah, Rethink will download favicons if you have turned ON Configure -> DNS -> Show website icon in DNS logs

I mentioned favicons for nextdns since that also uses favicons , My point was multiple telemetry domains and non telemetry domains (even if not Rethink or nextdns or something else) along with several google domains are leaking my original ipv6 connections despite every possible hardening on Wireguard [Lockdown mode , Always on - Both in rethink and Android settings] - Check my current settings , I already mentioned in original issue .

Do Not Randomize WireGuard Listen Port: On [Turning ON - Breaks internet for me - Hoping for a fix here]

Fixed that with changing some experimental settings , No help needed here.

multi-hop feature , Proton's anti-abuse systems may not like it.

I never used multi-hop or multiple Proton configs at the same time. The tunnel very rarely goes into “Failing” state on its own and rarely drops connection speed , I think that's not a rethink issue but server load issue , Thanks for clarification , No help needed here either .

It shouldn't, unless you're using Android's Private DNS

I was on Private DNS the entire time because putting nextdns's doT or doH directly within rethink never worked for me , It just gets stuck on starting every single time that's why I can't turn on Block when DNS is bypassed ...

You'll have to turn ON Configure -> DNS -> Split DNS

It was already ON (my original issue contains current settings) .

Fallback DNS

What I meant was turning it ON or OFF didn't matter - ipv6 was leaking in both the cases , Also mentioned the same for several other settings .

Do you mean, Always-on and Lockdown mode in Configure -> Proxy -> Setup WireGuard -> Advanced or in Android's VPN settings? make sure to turn ON Lockdown for all Advanced mode WireGuards.

It was ON the entire time (Both for rethink and for Android settings) , ipv6 still continued to leak .

[ignoramous]

Thanks.

Search in Configure -> Logs -> DNS for the domains you see leaking your IPv6 in the NextDNS logs. And when you find any entries there corresponding to the timestamp you see in NextDNS, tap on those entries and a bottomsheet should come up, which should have more information about the query, the answer, the DNS resolver used, the app that sent the query (only shown on Android 12+). Check if:

1. The app name that appears there has been "Bypass form all proxies" setup or is "Isolated" / "Bypass DNS and Firewall".
2. If the domain name shown there in has been "allowlisted" / "trusted".

I was on Private DNS the entire time because putting nextdns's doT or doH directly within rethink never worked for me

It should. Either way, use of Private DNS explains why Rethink was blocking connections with "Block when DNS is bypassed" was turned ON... because all DNS queries were essentially being served outside of the VPN's DNS resolver.

[L-3-m-o-n]

The app that sent the query (only shown on Android 12+)

The app is not shown in next dns (Tried both app and web) no matter what I do , Confirmed with AI - This feature is not present . Its very hard if not impossible to see that in rethink because of unknown connections and multiple apps are sending requests at the same time [Also , connections for Unknown apps are blocked]
BUT
"I might have an answer - Instagram" , Its atleast one of those apps that are leaking if not the only one , Others could be YouTube , MicroG ...,

1. The app name that appears there has been "Bypass from all proxies" setup or is "Isolated" / "Bypass DNS and Firewall".

Its not bypasssed or isolated in any way and should route its traffic through VPN tunnel only but its clearly leaking because every time I spend 1-3 minutes on Instagram and then check nextdns logs - The leaked ipv6 for usually : connectivity check for gstatic or developers.google.com or www.google.com are there .

2. If the domain name shown there in has been "allowlisted" / "trusted".

No , Even though I have no google blocklist enabled in nextdns , I use YouTube and have white listed a select few google domains in nextdns (though no trusted domains in rethink) but not all and gstatic.com is not whitelisted (hence blocked by nextdns but it still shows leaked ipv6 below domain name even though its connection is blocked) while some like www.google.com : I have tested with both blocked and allowed - It matters not , The ipv6 still leaks with other google domains (majority) and few non-google domains .

DNS queries were essentially being served outside of the VPN's DNS resolver.

Either way , I don't want to use proton's DNS because in dns leak tests - Many times the ISP for proton (amongst multiple) is google which I hate for some reason .