13970 – Notifications for Android devices are not triggered anymore after update to CU 201.

Bug 13970 - Notifications for Android devices are not triggered anymore after update to CU 201.

Summary: Notifications for Android devices are not triggered anymore after update to C...

Status:	NEW

Alias:	None

Product:	IPFire
Classification:	Unclassified
Component:	--- (show other bugs)
Version:	2
Hardware:	unspecified Other

Importance:	- Unknown - Major Usability
Assignee:	Assigned to nobody - feel free to grab it and work on it
QA Contact:

URL:
Keywords:

Depends on:
Blocks:

Reported:	2026-05-12 20:06 UTC by R G
Modified:	2026-05-22 05:58 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description R G 2026-05-12 20:06:28 UTC

By updateing from CU 200 to CU 201 all notifications from apps (coming from external servers) on Android devices are not passed through anymore.

Initial configuration: IPFire CU 200 with WebProxy and URL-Filter enabled. Working since 2009 on PC hardware without such problems.

After update to CU 201 and Web-Proxy and DNS-Firewall enabled and URL-Filter disabled Android devices in the BLUE network are unable to receive notifications such as:
- Banking Apps (e.g. S-Push-TAA App from Sparkasse)
- Threema Messenger (new messages)
- Safety notifications from Deutsche Wetterdienst DWD app, NINA and Katwarn.
- Notfications from car (battery finished loading).
- Microsoft Authenticator for 2FA (employer requirement)

Switching to mobile data triggers the notifications immediately also the previously missed ones. Also opening those apps while in BLUE network triggers the notifications too (except S-Push-TAN app and Microsoft Authenticator).

Disabling DNS-Firewall and re-enabling URL-Filter as previously working with CU 200 still does not work with CU 201. Notifications are still blocked.

There were no configuration changes in Web-Proxy and URL-Filter or changes in firewall rules after Update to CU 201.

See also this thread in forum:
https://community.ipfire.org/t/push-messages-from-signal-messenger-or-banking-apps-not-working-with-dns-firewall/15734/9

System Version:
IPFire-Version IPFire 2.29 (x86_64) - core201
Pakfire-Version 2.29-x86_64
Kernelversion Linux firewall.xyz.local 6.18.7-ipfire #1 SMP PREEMPT_DYNAMIC Tue Feb 24 14:01:17 GMT 2026 x86_64 GNU/Linux

I hope this can be sorted out as it is an important feature to get notifications on Android devices.

Thank you for attention.

Comment 1 R G 2026-05-12 20:26:22 UTC

Also SMS messages are not delivered when in BLUE network and connected to mobile phone provider via 'WiFi Calling'.

Comment 2 Robin Roevens 2026-05-16 23:22:52 UTC

This seem to be caused by the Enable Safe Search option in Network → Domain Name System.

According to Gemini, Google Play Services need access to mtalk.google.com and this connection is kept open by Android using a heartbeat. For this to work, it ofcourse first does a lookup to mtalk.google.com.

However, when Safe Search is enabled a lookup returns:
mtalk.google.com is an alias for forcesafesearch.google.com.
forcesafesearch.google.com has address 216.239.38.120

When Safe Search is disabled, the same lookup returns:
mtalk.google.com is an alias for mobile-gtalk.l.google.com.
mobile-gtalk.l.google.com has address 142.250.102.188

When Safe Search is disabled, all push messages seem to work again here.

Comment 3 Robin Roevens 2026-05-16 23:36:08 UTC

According to Gemini:

Google's official and proper method is to redirect only the specific search domains:

    [www.google.com](https://www.google.com) -> forcesafesearch.google.com

    www.google.be -> forcesafesearch.google.com

    (Thereby leaving mtalk.google.com alone).

Anyway, bottom line is, I think, to make sure to not redirect mtalk.google.com to forcesafesearch.google.com

Comment 4 Phil SCAR 2026-05-17 21:04:22 UTC

I compared CU200 and CU201 with DNS Safe Search Enabled.

Using the command unbound-control list_local_data | grep "google."

On CU201, all domains are redirected,
whereas
On CU200, only domains starting with www. are redirected.

CU201

[root@ipfire ~]# unbound-control list_local_data | grep "google."
google.ac.      3600    IN      CNAME   forcesafesearch.google.com.
www.google.ac.  3600    IN      CNAME   forcesafesearch.google.com.
google.ad.      3600    IN      CNAME   forcesafesearch.google.com.
www.google.ad.  3600    IN      CNAME   forcesafesearch.google.com.
google.ae.      3600    IN      CNAME   forcesafesearch.google.com.
www.google.ae.  3600    IN      CNAME   forcesafesearch.google.com.
google.com.af.  3600    IN      CNAME   forcesafesearch.google.com.
www.google.com.af.      3600    IN      CNAME   forcesafesearch.google.com.
google.com.ag.  3600    IN      CNAME   forcesafesearch.google.com.
www.google.com.ag.      3600    IN      CNAME   forcesafesearch.google.com.
google.com.ai.  3600    IN      CNAME   forcesafesearch.google.com.
...

CU200

[root@ipfireTest ~]# unbound-control list_local_data | grep "google."
www.google.ad.  60      IN      A       216.239.38.120
www.google.ae.  60      IN      A       216.239.38.120
www.google.com.af.      60      IN      A       216.239.38.120
www.google.com.ag.      60      IN      A       216.239.38.120
www.google.com.ai.      60      IN      A       216.239.38.120
www.google.al.  60      IN      A       216.239.38.120
www.google.am.  60      IN      A       216.239.38.120
www.google.co.ao.       60      IN      A       216.239.38.120
www.google.com.ar.      60      IN      A       216.239.38.120
www.google.as.  60      IN      A       216.239.38.120
www.google.at.  60      IN      A       216.239.38.120
www.google.com.au.      60      IN      A       216.239.38.120
www.google.az.  60      IN      A       216.239.38.120
www.google.ba.  60      IN      A       216.239.38.120
www.google.com.bd.      60      IN      A       216.239.38.120
www.google.be.  60      IN      A       216.239.38.120
www.google.bf.  60      IN      A       216.239.38.120
...

Idem with unbound-control list_local_zones | grep "google."

CU201

google.ac. redirect
www.google.ac. redirect
google.ad. redirect
www.google.ad. redirect
google.ae. redirect
www.google.ae. redirect
google.com.af. redirect
www.google.com.af. redirect
google.com.ag. redirect
www.google.com.ag. redirect
google.com.ai. redirect
www.google.com.ai. redirect
google.al. redirect
www.google.al. redirect
google.am. redirect
www.google.am. redirect
google.co.ao. redirect
www.google.co.ao. redirect
google.com.ar. redirect
www.google.com.ar. redirect
google.as. redirect
www.google.as. redirect
google.at. redirect
....

CU200

[root@ipfireTest ~]# unbound-control list_local_zones |grep google.
google.ad. transparent
google.ae. transparent
google.com.af. transparent
google.com.ag. transparent
google.com.ai. transparent
google.al. transparent
google.am. transparent
google.co.ao. transparent
google.com.ar. transparent
google.as. transparent
google.at. transparent
google.com.au. transparent
google.az. transparent
google.ba. transparent
google.com.bd. transparent
google.be. transparent
google.bf. transparent
google.bg. transparent
...

By checking my mobile’s access with tcpdump and the help of Gemini, I defined the domains to exclude from DNS SafeSearch in a file

/etc/unbound/local.d/safesearch-bypass.conf

server:
# Frees the main channel and its direct variants
	local-zone: "mtalk.google.com." transparent
	local-zone: "alt1-mtalk.google.com." transparent
	local-zone: "alt2-mtalk.google.com." transparent
	local-zone: "alt3-mtalk.google.com." transparent
	local-zone: "alt4-mtalk.google.com." transparent
	local-zone: "alt5-mtalk.google.com." transparent
	local-zone: "alt6-mtalk.google.com." transparent
	local-zone: "alt7-mtalk.google.com." transparent
	local-zone: "alt8-mtalk.google.com." transparent

# Releases ALL technical variants in "l.google.com"
# (Includes mobile-gtalk, gtalk4, alt1 to alt8, etc. at once)
	local-zone: "l.google.com." transparent
	
# Exclude for time synchronization (NTP)
	local-zone: "time.google.com." transparent
	
# Exclude for Android System and Play Store
	local-zone: "android.clients.google.com." transparent
	local-zone: "android.apis.google.com." transparent

Comment 5 Phil SCAR 2026-05-18 06:07:31 UTC

And also

# Release the download branch (Chrome, updates...)
	local-zone: "dl.google.com." transparent

Comment 6 Phil SCAR 2026-05-22 05:58:09 UTC

Last version of the file

/etc/unbound/local.d/safesearch-bypass.conf

server:
# Frees the main channel and its direct variants
	local-zone: "mtalk.google.com." transparent
	local-zone: "alt1-mtalk.google.com." transparent
	local-zone: "alt2-mtalk.google.com." transparent
	local-zone: "alt3-mtalk.google.com." transparent
	local-zone: "alt4-mtalk.google.com." transparent
	local-zone: "alt5-mtalk.google.com." transparent
	local-zone: "alt6-mtalk.google.com." transparent
	local-zone: "alt7-mtalk.google.com." transparent
	local-zone: "alt8-mtalk.google.com." transparent

# Releases ALL technical variants in "l.google.com"
# (Includes mobile-gtalk, gtalk4, alt1 to alt8, etc. at once)
	local-zone: "l.google.com." transparent
	
# Exclude for time synchronization (NTP)
	local-zone: "time.google.com." transparent
	
# Exclude for Android System and Play Store
	local-zone: "android.clients.google.com." transparent
	local-zone: "android.apis.google.com." transparent
	local-zone: "accounts.google.com." transparent
	local-zone: "client1.google.com." transparent
	local-zone: "client2.google.com." transparent
	local-zone: "client3.google.com." transparent
	local-zone: "client4.google.com." transparent
	local-zone: "client5.google.com." transparent
	local-zone: "client6.google.com." transparent
	local-zone: "connectivitycheck.google.com." transparent
	local-zone: "location.google.com." transparent
	local-zone: "dl-ssl.google.com." transparent
	local-zone: "hangouts.google.com." transparent
	local-zone: "m.google.com." transparent
	local-zone: "pack.google.com." transparent
	local-zone: "play.google.com." transparent
	
# Release the download branch (Chrome, updates...)
	local-zone: "chrome.google.com." transparent
	local-zone: "dl.google.com." transparent
	local-zone: "fonts.google.com." transparent
	local-zone: "safebrowsing-cache.google.com." transparent