That seems very plausible, and seems to be verified by my own recent testing.
When the built-in kill switch is
disabled, the fact those DNS servers are redirected to the OpenVPN client's routing table is irrelevant, since that table doesn't even exist as yet. Not until the OpenVPN client actually gets connected. It just falls through to the main routing table. But w/ the kill switch
enabled, the router will pre-populate the OpenVPN client's routing table so it can insert a 'prohibit default' route and prevent leakage. And now you have no access to DNS either, since it's bound to the VPN like everything else being blocked.
This is yet another side-effect of the recent change by ASUS to statically bind the WAN's DNS servers to the WAN starting w/ 386.4 (something I warned would be problematic when I first learned about it from Merlin; I just didn't know where and when). With that change, it now became necessary to take the extraordinary measures I suggested to the OP. Prior to 386.4, you could simply have added static routes to the OpenVPN client's routing table, without the need for routing policy rules. IOW, the binding of the WAN's DNS servers to the VPN would only occur at the point the VPN was actually connected, and irrespective of the state of the kill switch.
Again, I just
knew this static binding of the DNS servers on the WAN by ASUS would eventually lead to problems down the road. And now here we are.
I suppose another solution, if you insist on a kill switch, is to NOT use the built-in one, but one based on the firewall, like the one I created and in-use by a number of users who have other issues w/ the built-in version.
Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.
pastebin.com
Unlike the built-in kill switch, my script does NOT affect the router itself, but *only* the WLAN/LAN clients being routed through the router. IOW, the router itself is *never* a participant in the kill switch. Another one of those subtle differences between using the routing system vs. firewall to manage the kill switch.