Once again we get back to what's the definition of a DNS leak. I've seen numerous users who expected their router-hosted applications (e.g., transmission) to be routed over the VPN, only to find out once they enabled routing policy, that wasn't the case. It was routed over the WAN, DNS et al.
You can clearly see this mindset when you see the following in routing policy.
Code:
192.168.1.0/24 <blank> OVPN1
I'm sure most users *think* this binds the router itself (e.g., 192.168.1.1) to the VPN. It does in the sense that any internet traffic that's initiated from its LAN interface will use the VPN, but the router doesn't typically use the LAN interface for such purposes (the GUI being a rare exception) since it's hosting the internet connections (WAN and VPN) and can (unlike the WLAN/LAN clients) access them directly!
You sometimes see the following as well, only emphasizing the point.
Code:
192.168.1.1 <blank> WAN
192.168.1.0/24 <blank> OVPN1
Of course, the first rule is pointless. Once routing policy is in effect, the router is no longer bound to the VPN anyway. The rule is benign, but it shows what the user (wrongly) believes about how the routing is configured wrt the VPNs.
I only bring this up to illustrate that these same beliefs apply to DNS. I doubt most users see the router as distinct from the WLAN/LAN clients, at least in terms of security/privacy. And while those changes from long ago may correct those particular problems, it comes w/ consequences which are likely incompatible w/ their current assumptions.
But I understand why things like this are done sometimes. And that they have their own rationale. But the reason I wrote the script is to expose this behavior so at least it can be questioned. And at least for those that care, they can take appropriate countermeasures.
Truth is, there is no "one size fits all" answer. DNS is a world of compromises. For every good argument to do things one way, there are equally good arguments to do it another way.
As I said in my original post, you can't even get agreement on what exactly is a DNS leak. And why I find the typical online third-party tools so worthless.
P.S. I just uploaded a minor update to v1.2.1 which now looks at /etc/resolv.conf for determining the WAN's DNS servers. So it will now properly reflect any change to that DNS server option in the Tools menu.