Thanks Simon, the comment on the potential parallel search is great and could be the source of your leak.
From the trace you sent it seems when shrunken down to the path like this:
# you first ask local dnsmask
;; Received 239 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms
# that then asks main dns servers
;; Received 866 bytes from 202.12.27.33#53(m.root-servers.net) in 400 ms
;; Received 678 bytes from 192.5.6.30#53(a.gtld-servers.net) in 77 ms
# dns service provider
;; Received 107 bytes from 204.13.251.27#53(ns4.p27.dynect.net) in 197 ms
# canonical name server
;; Received 171 bytes from 91.189.91.139#53(ns3.canonical.com) in 134 ms
But if I understood dig +trace enough it does so by understanding the dns reply.
So your local dnsmasq or such on 127.0.0.1 is reporting "answer from 202.12.27.33#53(m.root-servers.net)" - then it asks this server next which then answers ...
If anything it seems that already your local dns cache/proxy is not asking your "in-vpn" DNS but a public one.
Configs will certainly help a bit in trying to understand that.
Thanks Simon, the comment on the potential parallel search is great and could be the source of your leak.
From the trace you sent it seems when shrunken down to the path like this:
# you first ask local dnsmask 1#53(127. 0.0.1) in 0 ms 27.33#53( m.root- servers. net) in 400 ms 30#53(a. gtld-servers. net) in 77 ms 251.27# 53(ns4. p27.dynect. net) in 197 ms 91.139# 53(ns3. canonical. com) in 134 ms
;; Received 239 bytes from 127.0.0.
# that then asks main dns servers
;; Received 866 bytes from 202.12.
;; Received 678 bytes from 192.5.6.
# dns service provider
;; Received 107 bytes from 204.13.
# canonical name server
;; Received 171 bytes from 91.189.
But if I understood dig +trace enough it does so by understanding the dns reply. 27.33#53( m.root- servers. net)" - then it asks this server next which then answers ...
So your local dnsmasq or such on 127.0.0.1 is reporting "answer from 202.12.
If anything it seems that already your local dns cache/proxy is not asking your "in-vpn" DNS but a public one.
Configs will certainly help a bit in trying to understand that.