nope. no DNS service, not even a self-hosted one, can mitigate what's happening here.

the matter at-hand considers Android (and iOS both) operating system- and kernel-level insecurities by-design. the operating system (together with all root-level or otherwise authorized system activity), under certain conditions—e.g. connectivity change, hard-coded system function, apps with permission to hardcode their own network functions, etc.—will refuse to use any NIC, whether physical or virtualized, except the one containing the cellular carrier's connection/routes. that traffic might then necessarily include DNS queries and any/all other private but now-leaked data.

NextDNS _does help_ though by way of being DoH, so while your packets might be traversing a less desirable path they’re not readable.

fair point. but that assumes:

1.) the system strictly respects user-configured DNS; and

2.) that the leak of some private data is acceptable. leaked traffic is still leaked even if otherwise encapsulated by some other encryption mechanism outside of an otherwise properly-configured VPN tunnel.

#1 is of course a much larger risk assumption to swallow.

Interesting. Thank you for this.