Comment 47 for bug 1624317

@Vincent, re the "If lookups are routed to multiple interfaces, the first successful response is returned", this is indeed the problem with systemd-resolved as I see it, as that method will never be stable for a split DNS setup... You can never reliably predict if you'll get a good or a bad IP for the connections you're currently using.

dnsmasq allows a solution to this, because NetworkManager can tell dnsmasq to use the LAN DNS for default stuff, but use the VPN DNS for lookups in the example.lan domain and 10.in-addr.arpa, for example.

The dhcp-options you mention is for a direct call to openvpn if I'm not mistaken(?). That would work if you're content with launching every VPN connection by hand. In my case, I use a bunch of different VPN clients and as such, solving this in NetworkManager is a much more universally applicable fix.