Ojee, I hope the new version of Merlin is working out well for you.
If you don't enter an DNS server address in WAN DNS setting, (depending on your model and what version you're running), if you untick the "connect to DNS server automatically" box, as long as your traffic is using an OpenVPN config/tunnel and your devices are routed appropriately, they will use the VPN provider's 'smart/private DNS' server, and/or the alternate DNS server(s) you list on the LAN DHCP server page, where you can manually assign the IPs around the list.
Sometimes (not always) if a device is balky or lags with a VPN provider's internal solution, say like certain WiFi tablets/phones, I've foung that by entering google's 8.8.8.8 (or any other you prefer) in the LAN page may append on the OpenVPN config depending on the provider., I've seen it show up in the logs. There's a lot more to it that that, but if you aren't using your VPN provider's internal DNS solution, choose your DNS carefully; many use OpenNIC no log DNS, but it depends on your needs. Google swears it doesn't keep all of the DNS info very long, if you believe that, but since most of the planet uses it, the amount of internet noise and laws of probability, will give you fast response and a better margin of blending in than you'll have by settling for using your ISP's DNS. You could run GRC.org's DNS test to find the fastest DNS resolver if all you require is speed.
As for 'draconian TOS' some of the ISPs are now throttling OpenVPN traffic, whereas before they didn't care as much what you looked at or researched, as long as you weren't engaged in conduct that would get you warned or kicked off. If The ISP hasn't specifically agreed that they won't give away/sell all of your internet history as their DNS servers store and show, they're probably doing it. That seems draconian enough to the many who value their privacy, especially if they aren't doing anything illegal, immoral or fattening (tip of the hat to Flo & Eddie). If you don't mind that sort of invasive treatment by your ISP, it's whatever DNS you choose to use.
If your traffic isn't secured by using a VPN provider who offers OpenVPN as you can use in your Asus router with Merlin, it's a safe bet the ISP will log, mine and sell everything. It's not right, but to each his/her own, and you have to be able to trust the VPN provider you pay to honor their promises not to spy on you or sell your data. I'd rather put up with an ISP throttling my OpenVPN traffic, since they all throttle these days, even if they state they don't, ala ATT. Not using the ISP's DNS is a choice you have to make, otherwise every click and swipe stored on the ISP's DNS servers are subject to mining/selling to whomever they please. None of the ISPs publicly say they won't sell the DNS history, but ATT will sell you the supposed right to 'turn off' their mining/storing/selling of your history. That's why no one believes them. It's whether you believe enough in a certain right or level of personal privacy, that we used to take for granted, that's at stake.
If your VPN service obscures/secures your traffic with an OpenVPN tunnel the info from their DNS servers should exit with your VPN's IP address, not yours. Most of the VPN companies have good DNS, and if you're using an OpenVPN shared or modulated tunnel, there's much less chance your history is going to be of much value to anyone, to be sold or mined, the same as it will be if you utilize your local ISP's servers.
The smaller ISPs are into the data-selling game as much as the big cats, since they pay whatever the large providers want for the bandwidth you're paying for, and the price gets only higher. The private ISPs don't usually make their peering contracts public. Even though they aren't starving, they cry poverty every so often and hit the customers with yet another hike every year unless you renegotiate, have a contract or lock your bandwidth rate price in some way. It's probably not draconian, but since you can't turn the tables and sell all of your ISP's private browsing history, it seems draconian. The latest law of the land states they can do it if they feel like it, and there's nothing users can do, except bend over and tie their shoes. Hope that helps, Cheers.
Great post!
When T-Mobile announced the initial giveaway of the TM-AC1900 "because when our customers have our router, trouble-shooting their networking isssues will be so much easier", I wasn't buying it.
It was all about the average customer that won't specify an alternate DNS service. So you had a family signed up with Comcast / Xfinity, then T-Mobile in all their benevolence "gives" them a "free" router (I was assured in the beginning that I did in fact own it, a "fact" that I took with a mountain of salt). Now all of a sudden T-Mobile is in on the DNS action. The browsing data is worth *that* much.
I suspect that even if you specify an alternate DNS service (I do), that the router likely phones home with the data anyway. Too bad I didn't grab the cert off the thing when I had SSH enabled (they put the kibosh on that!), then maybe I could have installed it in a capturing proxy, running between the router and the modem - it would be interesting to see that traffic at idle.