Comment 65 for bug 1754671

If the VPN routes all traffic (eg, its ipv4.never-default=false) that usually indicates that the VPN's nameservers should be used instead of the parent interface's nameservers, since the parent interface's nameservers would be accessed over the VPN anyway (since it's routing all traffic).

But with dns=dnsmasq, the dnsmasq plugin always does split DNS regardless of the never-default value of the VPN's IPv4 config:

 /* Use split DNS for VPN configs */
 for (iter = (GSList *) vpn_configs; iter; iter = g_slist_next (iter)) {
  if (NM_IS_IP4_CONFIG (iter->data))
   add_ip4_config (conf, NM_IP4_CONFIG (iter->data), TRUE);
  else if (NM_IS_IP6_CONFIG (iter->data))
   add_ip6_config (conf, NM_IP6_CONFIG (iter->data), TRUE);
 }

instead I think that each config should be added with split DNS only if ipv4.never-default=true for that config. That would ensure that when the VPN was routing all traffic, split DNS was not used, but when the VPN was not routing all traffic, split DNS was used.

If the user really does want to use the parent interface's nameservers even though they will be contacted over the VPN, they can either add custom dnsmasq options to /etc/NetworkManager/dnsmasq.d or enter them manually for the connection.

ISTR that the behavior I'm suggesting was always intended, but apparently we changed that behavior a long time ago and possibly didn't realize it?