Comment 4 for bug 666446

I don't think this should be considered a 'feature request'. If you have a full-tunnel VPN, your employer will *expect* all your network traffic to go via the VPN as if you were dialled directly into the corporate network. Allowing some of the DNS traffic to "escape" to be seen by potentially malicious local DNS servers is utterly wrong.

In particular I don't agree this is a 'feature request' for 16.04 because it *used* to work there.
You fixed it once with this patch:
http://bazaar.launchpad.net/~network-manager/network-manager/ubuntu/view/head:/debian/patches/Filter-DNS-servers-to-add-to-dnsmasq-based-on-availa.patch

That patch got dropped in an update, so this isn't just a security problem but also a regression in 16.04.

cf. https://bugzilla.gnome.org/show_bug.cgi?id=746422
    https://bugzilla.redhat.com/show_bug.cgi?id=1553634