Comment 6 for bug 1685391

Thanks Simon, the comment on the potential parallel search is great and could be the source of your leak.

From the trace you sent it seems when shrunken down to the path like this:

# you first ask local dnsmask
;; Received 239 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms
# that then asks main dns servers
;; Received 866 bytes from 202.12.27.33#53(m.root-servers.net) in 400 ms
;; Received 678 bytes from 192.5.6.30#53(a.gtld-servers.net) in 77 ms
# dns service provider
;; Received 107 bytes from 204.13.251.27#53(ns4.p27.dynect.net) in 197 ms
# canonical name server
;; Received 171 bytes from 91.189.91.139#53(ns3.canonical.com) in 134 ms

But if I understood dig +trace enough it does so by understanding the dns reply.
So your local dnsmasq or such on 127.0.0.1 is reporting "answer from 202.12.27.33#53(m.root-servers.net)" - then it asks this server next which then answers ...

If anything it seems that already your local dns cache/proxy is not asking your "in-vpn" DNS but a public one.

Configs will certainly help a bit in trying to understand that.