It’s not bypassing aaaaa, the DNS requests are redirected to the aaaaa net qube by default.
By default the DNS requests from test-qube (to the 10.139.1.1/10.139.1.2) will go to aaaaa qube and since the networking qubes have these default rules (if no custom DNS server is configured):
# nft list chain ip qubes dnat-dns
table ip qubes {
chain dnat-dns {
type nat hook prerouting priority dstnat; policy accept;
ip daddr 10.139.1.1 udp dport 53 dnat to 10.139.1.1
ip daddr 10.139.1.1 tcp dport 53 dnat to 10.139.1.1
ip daddr 10.139.1.2 udp dport 53 dnat to 10.139.1.2
ip daddr 10.139.1.2 tcp dport 53 dnat to 10.139.1.2
}
}
DNS requests from test-qube will be redirected by aaaaa firewall to the virtual Qubes OS DNS servers and go to the sys-firewall if VPN is not connected (no default route that will redirect all traffic to the VPN interface).
If you whitelist the VPN IP for aaaaa qube then these DNS request will be blocked in sys-firewall.