Are you sure you didn't have a clearnet connection in a clearnet host browser to google for a a while?
Can you reliably reproduce this leak doing this leak test?
Having the host reliably see the connection to google ip even though it originated from Whonix-Workstation would be awful.
If you still can confirm, I would be wondering why I couldn't reproduce this bug using VirtualBox, but you can using KVM.
At least as dangerous as dns leak, I think.
Apparently we could use a workaround. Starting points:
Would require adjustment to work with Whonix, unfortunately.
Perhaps because tcpdump saw it and because there maybe really is a leak.