Private DNS (+VPN?) bypasses network-isolation
I noticed today a series of DNS requests from apps that have internet access turned OFF in the Datura Firewall app. In this screenshot I'm exhibiting the issue with the app Strong, because the app name is in the DNS request so the link is obvious. I also noticed analytics requests from at least one other app (though I DNS block those), and Google Photos may be leaking through as well.
Why is this happening? Is this a bug? Am I misunderstanding what's happening here?
Suddenly I'm worried that apps that I specifically do not want to connect to the net, such as gBoard, have been connecting freely this whole time.
This activity was monitored with NextDNS while using a Pixel 5 with always-on VPN. All network switches were turned off in the settings app.