The Qubes OS is using “virtual” DNS servers 10.139.1.1/10.139.1.2 for the qubes and the requests to these addresses are redirected from netvm to its next netvm using DNAT firewall rules like this:
$ sudo nft list chain ip qubes dnat-dns
table ip qubes {
chain dnat-dns {
type nat hook prerouting priority dstnat; policy accept;
ip daddr 10.139.1.1 udp dport 53 dnat to 10.139.1.1
ip daddr 10.139.1.1 tcp dport 53 dnat to 10.139.1.1
ip daddr 10.139.1.2 udp dport 53 dnat to 10.139.1.2
ip daddr 10.139.1.2 tcp dport 53 dnat to 10.139.1.2
}
}
And when these DNS packets arrive to netvm that has netvm set to (none) then by default it’ll get this qubes real DNS servers (e.g. set by user in /etc/resolve.conf or using NetworkManager) and redirect all packets coming to virtual DNS server to the real ones like this:
table ip qubes {
chain dnat-dns {
type nat hook prerouting priority dstnat; policy accept;
ip daddr 10.139.1.1 udp dport 53 dnat to 192.168.1.1
ip daddr 10.139.1.1 tcp dport 53 dnat to 192.168.1.1
}
}
And it you don’t redirect all the virtual DNS traffic to the real DNS server (be it 9.9.9.9 or the DNS provided by VPN server) in sys-vpn then this virtual DNS traffic will go through VPN to these “virtual” addresses and most probably DNS just won’t work since these addresses will be unreachable through VPN. This “virtual” DNS addresses leak could show VPN provider that you’re using Qubes OS.