diff --git a/bpf_progs/netd.c b/bpf_progs/netd.c
index 84da79d971..cb0da19291 100644
--- a/bpf_progs/netd.c
+++ b/bpf_progs/netd.c
@@ -415,11 +415,6 @@ static __always_inline inline int bpf_traffic_account(struct __sk_buff* skb, boo
     }
 
     int match = bpf_owner_match(skb, sock_uid, egress, kver);
-    if (egress && (match == DROP)) {
-        // If an outbound packet is going to be dropped, we do not count that
-        // traffic.
-        return match;
-    }
 
 // Workaround for secureVPN with VpnIsolation enabled, refer to b/159994981 for details.
 // Keep TAG_SYSTEM_DNS in sync with DnsResolver/include/netd_resolv/resolv.h
@@ -432,6 +427,9 @@ static __always_inline inline int bpf_traffic_account(struct __sk_buff* skb, boo
         if (match == DROP_UNLESS_DNS) match = DROP;
     }
 
+    // If an outbound packet is going to be dropped, we do not count that traffic.
+    if (egress && (match == DROP)) return DROP;
+
     StatsKey key = {.uid = uid, .tag = tag, .counterSet = 0, .ifaceIndex = skb->ifindex};
 
     uint8_t* counterSet = bpf_uid_counterset_map_lookup_elem(&uid);