Android devices are very chatty and make a lot of connections to servers you may not want your deivce talking to.
logcat
or adb logcat
can show you DNS activity, too.Once you have the IP addresses of the blocked attempts, focus on those, first. Then you can monitor with Wireshark to see what's making it's way through your approved apps.
If you're on a Linux system, you can use the whois
package to do whois lookups from your terminal
whois 216.239.35.12
OrgName: Google LLC
Not every lookup will return a nameserver, but it can clue you in on what the attempt may have been trying to do
nslookup 216.239.35.12
12.35.239.216.in-addr.arpa name = time4.google.com.
This connection was the result of the NTP time settings of Android being set to 'null'; set a custom time server