I have no idea how Surfshark is making that assessment, but fwiw, here's my general take on the matter.
There are a multitude of ways you can create a DNS leak. In fact, not everyone even agrees on the definition of a DNS leak. For some, it's merely making sure you avoid the ISP's DNS servers. For others (including me), it includes never accessing *any* DNS servers over the WAN, where they can be eavesdropped on and/or redirected. And when it comes to online testing tools, I find them to be notoriously inaccurate when it comes to the router, probably because the client is NOT directly accessing the public DNS servers, but only *indirectly* via the local DNS proxy, DNSMasq.
In my own case, I'm using ExpressVPN, and their own DNS leak testing page always tells me I'm using their DNS servers (even lists them), when in fact I know w/ 100% certainty I'm NOT! I always have "Accept DNS configured" as Disabled, override my ISP's DNS servers in DNSMasq w/ 1.1.1.1, 1.0.0.1, and 9.9.9.9, and bind them to the VPN w/ route directives. The reason ExpressVPN mis-reports it is because the only thing it's doing is noticing I'm connected through the VPN's public IP when I access that page! IOW, it's just an assumption, that in fact is WRONG.
As I said, these online DNS leak testing tools are notoriously unreliable when it comes to the router. IMO, the *only* way to be 100% sure is to monitor connection tracking and actually observe where DNS queries are being routed, in real-time.
Code:
cat /proc/net/nf_conntrack
All other methods are just educated guesses, which are often wrong. If it happens to be right in its assessment from time to time, it's most likely just coincidental.