Bug 13970

Summary: Notifications for Android devices are not triggered anymore after update to CU 201.
Product: IPFire Reporter: R G <r.grimmig>
Component: ---Assignee: Assigned to nobody - feel free to grab it and work on it <nobody>
Status: NEW --- QA Contact:
Severity: Major Usability    
Priority: - Unknown - CC: p27m, robin.roevens
Version: 2   
Hardware: unspecified   
OS: Other   

Description R G 2026-05-12 20:06:28 UTC 
By updateing from CU 200 to CU 201 all notifications from apps (coming from external servers) on Android devices are not passed through anymore.

Initial configuration: IPFire CU 200 with WebProxy and URL-Filter enabled. Working since 2009 on PC hardware without such problems.

After update to CU 201 and Web-Proxy and DNS-Firewall enabled and URL-Filter disabled Android devices in the BLUE network are unable to receive notifications such as:
- Banking Apps (e.g. S-Push-TAA App from Sparkasse)
- Threema Messenger (new messages)
- Safety notifications from Deutsche Wetterdienst DWD app, NINA and Katwarn.
- Notfications from car (battery finished loading).
- Microsoft Authenticator for 2FA (employer requirement)

Switching to mobile data triggers the notifications immediately also the previously missed ones. Also opening those apps while in BLUE network triggers the notifications too (except S-Push-TAN app and Microsoft Authenticator).


Disabling DNS-Firewall and re-enabling URL-Filter as previously working with CU 200 still does not work with CU 201. Notifications are still blocked.

There were no configuration changes in Web-Proxy and URL-Filter or changes in firewall rules after Update to CU 201.

See also this thread in forum:
https://community.ipfire.org/t/push-messages-from-signal-messenger-or-banking-apps-not-working-with-dns-firewall/15734/9

System Version:
IPFire-Version 	IPFire 2.29 (x86_64) - core201
Pakfire-Version 	2.29-x86_64
Kernelversion 	Linux firewall.xyz.local 6.18.7-ipfire #1 SMP PREEMPT_DYNAMIC Tue Feb 24 14:01:17 GMT 2026 x86_64 GNU/Linux 


I hope this can be sorted out as it is an important feature to get notifications on Android devices.

Thank you for attention.
Comment 1 R G 2026-05-12 20:26:22 UTC 
Also SMS messages are not delivered when in BLUE network and connected to mobile phone provider via 'WiFi Calling'.
Comment 2 Robin Roevens 2026-05-16 23:22:52 UTC 
This seem to be caused by the Enable Safe Search option in Network → Domain Name System.

According to Gemini, Google Play Services need access to mtalk.google.com and this connection is kept open by Android using a heartbeat. For this to work, it ofcourse first does a lookup to mtalk.google.com.

However, when Safe Search is enabled a lookup returns:
mtalk.google.com is an alias for forcesafesearch.google.com.
forcesafesearch.google.com has address 216.239.38.120

When Safe Search is disabled, the same lookup returns:
mtalk.google.com is an alias for mobile-gtalk.l.google.com.
mobile-gtalk.l.google.com has address 142.250.102.188

When Safe Search is disabled, all push messages seem to work again here.
Comment 3 Robin Roevens 2026-05-16 23:36:08 UTC 
According to Gemini:

Google's official and proper method is to redirect only the specific search domains:

    [www.google.com](https://www.google.com) -> forcesafesearch.google.com

    www.google.be -> forcesafesearch.google.com

    (Thereby leaving mtalk.google.com alone).

Anyway, bottom line is, I think, to make sure to not redirect mtalk.google.com to forcesafesearch.google.com
Comment 4 Phil SCAR 2026-05-17 21:04:22 UTC 
I compared CU200 and CU201 with DNS Safe Search Enabled.

Using the command unbound-control list_local_data | grep "google."

On CU201, all domains are redirected,
whereas
On CU200, only domains starting with www. are redirected.

CU201

[root@ipfire ~]# unbound-control list_local_data | grep "google."
google.ac.      3600    IN      CNAME   forcesafesearch.google.com.
www.google.ac.  3600    IN      CNAME   forcesafesearch.google.com.
google.ad.      3600    IN      CNAME   forcesafesearch.google.com.
www.google.ad.  3600    IN      CNAME   forcesafesearch.google.com.
google.ae.      3600    IN      CNAME   forcesafesearch.google.com.
www.google.ae.  3600    IN      CNAME   forcesafesearch.google.com.
google.com.af.  3600    IN      CNAME   forcesafesearch.google.com.
www.google.com.af.      3600    IN      CNAME   forcesafesearch.google.com.
google.com.ag.  3600    IN      CNAME   forcesafesearch.google.com.
www.google.com.ag.      3600    IN      CNAME   forcesafesearch.google.com.
google.com.ai.  3600    IN      CNAME   forcesafesearch.google.com.
...

CU200

[root@ipfireTest ~]# unbound-control list_local_data | grep "google."
www.google.ad.  60      IN      A       216.239.38.120
www.google.ae.  60      IN      A       216.239.38.120
www.google.com.af.      60      IN      A       216.239.38.120
www.google.com.ag.      60      IN      A       216.239.38.120
www.google.com.ai.      60      IN      A       216.239.38.120
www.google.al.  60      IN      A       216.239.38.120
www.google.am.  60      IN      A       216.239.38.120
www.google.co.ao.       60      IN      A       216.239.38.120
www.google.com.ar.      60      IN      A       216.239.38.120
www.google.as.  60      IN      A       216.239.38.120
www.google.at.  60      IN      A       216.239.38.120
www.google.com.au.      60      IN      A       216.239.38.120
www.google.az.  60      IN      A       216.239.38.120
www.google.ba.  60      IN      A       216.239.38.120
www.google.com.bd.      60      IN      A       216.239.38.120
www.google.be.  60      IN      A       216.239.38.120
www.google.bf.  60      IN      A       216.239.38.120
...

Idem with unbound-control list_local_zones | grep "google."

CU201

google.ac. redirect
www.google.ac. redirect
google.ad. redirect
www.google.ad. redirect
google.ae. redirect
www.google.ae. redirect
google.com.af. redirect
www.google.com.af. redirect
google.com.ag. redirect
www.google.com.ag. redirect
google.com.ai. redirect
www.google.com.ai. redirect
google.al. redirect
www.google.al. redirect
google.am. redirect
www.google.am. redirect
google.co.ao. redirect
www.google.co.ao. redirect
google.com.ar. redirect
www.google.com.ar. redirect
google.as. redirect
www.google.as. redirect
google.at. redirect
....

CU200

[root@ipfireTest ~]# unbound-control list_local_zones |grep google.
google.ad. transparent
google.ae. transparent
google.com.af. transparent
google.com.ag. transparent
google.com.ai. transparent
google.al. transparent
google.am. transparent
google.co.ao. transparent
google.com.ar. transparent
google.as. transparent
google.at. transparent
google.com.au. transparent
google.az. transparent
google.ba. transparent
google.com.bd. transparent
google.be. transparent
google.bf. transparent
google.bg. transparent
...

By checking my mobile’s access with tcpdump and the help of Gemini, I defined the domains to exclude from DNS SafeSearch in a file

/etc/unbound/local.d/safesearch-bypass.conf

server:
# Frees the main channel and its direct variants
	local-zone: "mtalk.google.com." transparent
	local-zone: "alt1-mtalk.google.com." transparent
	local-zone: "alt2-mtalk.google.com." transparent
	local-zone: "alt3-mtalk.google.com." transparent
	local-zone: "alt4-mtalk.google.com." transparent
	local-zone: "alt5-mtalk.google.com." transparent
	local-zone: "alt6-mtalk.google.com." transparent
	local-zone: "alt7-mtalk.google.com." transparent
	local-zone: "alt8-mtalk.google.com." transparent

# Releases ALL technical variants in "l.google.com"
# (Includes mobile-gtalk, gtalk4, alt1 to alt8, etc. at once)
	local-zone: "l.google.com." transparent
	
# Exclude for time synchronization (NTP)
	local-zone: "time.google.com." transparent
	
# Exclude for Android System and Play Store
	local-zone: "android.clients.google.com." transparent
	local-zone: "android.apis.google.com." transparent
Comment 5 Phil SCAR 2026-05-18 06:07:31 UTC 
And also

# Release the download branch (Chrome, updates...)
	local-zone: "dl.google.com." transparent
Comment 6 Phil SCAR 2026-05-22 05:58:09 UTC 
Last version of the file

/etc/unbound/local.d/safesearch-bypass.conf

server:
# Frees the main channel and its direct variants
	local-zone: "mtalk.google.com." transparent
	local-zone: "alt1-mtalk.google.com." transparent
	local-zone: "alt2-mtalk.google.com." transparent
	local-zone: "alt3-mtalk.google.com." transparent
	local-zone: "alt4-mtalk.google.com." transparent
	local-zone: "alt5-mtalk.google.com." transparent
	local-zone: "alt6-mtalk.google.com." transparent
	local-zone: "alt7-mtalk.google.com." transparent
	local-zone: "alt8-mtalk.google.com." transparent

# Releases ALL technical variants in "l.google.com"
# (Includes mobile-gtalk, gtalk4, alt1 to alt8, etc. at once)
	local-zone: "l.google.com." transparent
	
# Exclude for time synchronization (NTP)
	local-zone: "time.google.com." transparent
	
# Exclude for Android System and Play Store
	local-zone: "android.clients.google.com." transparent
	local-zone: "android.apis.google.com." transparent
	local-zone: "accounts.google.com." transparent
	local-zone: "client1.google.com." transparent
	local-zone: "client2.google.com." transparent
	local-zone: "client3.google.com." transparent
	local-zone: "client4.google.com." transparent
	local-zone: "client5.google.com." transparent
	local-zone: "client6.google.com." transparent
	local-zone: "connectivitycheck.google.com." transparent
	local-zone: "location.google.com." transparent
	local-zone: "dl-ssl.google.com." transparent
	local-zone: "hangouts.google.com." transparent
	local-zone: "m.google.com." transparent
	local-zone: "pack.google.com." transparent
	local-zone: "play.google.com." transparent
	
# Release the download branch (Chrome, updates...)
	local-zone: "chrome.google.com." transparent
	local-zone: "dl.google.com." transparent
	local-zone: "fonts.google.com." transparent
	local-zone: "safebrowsing-cache.google.com." transparent