Be forewarned, DNS is very tricky when it comes to the router. No one can be 100% sure where your DNS is actually being accessed by merely knowing the configuration. You have to examine what the traffic is actually doing to verify what's happening.
By default, *all* LAN clients are bound to the router's local DNS proxy (DNSMasq) for the purposes of DNS. Therefore, how DNS is accessed wrt public DNS servers is dependent on how DNSMasq itself is configured. And by default, it's configured to use the ISP's DNS servers.
In theory (and I say that for a reason, which I'll get to in a moment), when you specify Strict for "Accept DNS Configuration", it causes the router to reconfigure the local DNS proxy (DNSMasq) to include the VPN's DNS servers w/ those of the ISP, and gives the VPN's DNS server priority (thanks to the strict-order directive). So all the LAN clients will now be redirected to the VPN for DNS, just so long as the VPN provider's DNS server remains up and running (if it fails, it falls back to the ISP's DNS servers).
But that doesn't tell the whole story. This *assumes* the VPN server actually pushes its own DNS server to the client. Thankfully most do, but NOT all. And if they don't, then DNSMasq remains effectively unchanged, and you're still using the ISP's DNS servers!
But let's assume the VPN does push its own DNS server. What if it pushes a *public* IP for DNS (e.g., 8.8.8.8)? I've seen it happen (esp. budget providers who don't want to manage their own DNS). And since the router itself is removed from the VPN whenever you're using routing policy, DNSMasq in this case will use the WAN to route all those DNS requests to 8.8.8.8!
I've even seen misconfigurations by the VPN provider. One of my own (KeepSolid) pushes a DNS server which is *outside* the scope of the IP tunnel! The provider configures the tunnel using a net30 topology, which means it's basically PTP (point to point).
Code:
admin@lab-merlin1:/tmp/home/root# ifconfig tun11
tun11 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.200.0.62 P-t-P:10.200.0.61 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:36 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3634 (3.5 KiB) TX bytes:0 (0.0 B)
But notice the DNS server they push (10.200.0.1) is NOT within that same scope.
Code:
Jan 8 20:06:26 ovpn-client1[728]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.200.0.1,rcvbuf 262144,sndbuf 262144,comp-lzo no,ping 5,ping-exit 30,route 10.200.0.1,topology net30,ifconfig 10.200.0.62 10.200.0.61,peer-id 14,cipher AES-256-GCM'
The only way this works is if you are NOT using routing policy, since then *everything* is routed over the VPN by default anyway, including the router and DNSMasq. But once you enable routing policy, that *private* IP for the DNS server will be accessed over the WAN, which will obviously fail. And the router will once again fall back to the ISP's DNS servers.
Now granted, these situations are the exception. And the VPN provider above is just being a knucklehead. But things like this do occur. And it's why I say that you can never be 100% sure where your DNS is headed just by knowing/stating your configuration. There are certain things you can only know once the VPN is connected. And which require YOU to examine the results.
To make matters worse, I was just playing around w/ the new 386.4 firmware, and AFAICT, the use of Strict for "Accept DNS Configuration" is NOT working. When I examine the nameservers file (/tmp/resolv.dnsmasq) after the VPN is connected, it's putting the VPN's DNS server at the *bottom* of the file, after the ISP's DNS servers (I've overridden those w/ Cloudflare servers).
Code:
admin@lab-merlin1:/tmp/home/root# cat /tmp/resolv.dnsmasq
server=1.1.1.1
server=1.0.0.1
server=10.200.0.1
And when using the strict-order directive w/ DNSMasq, it will access them in the order specified in that file. Hence, the ISP's DNS servers are still being accessed. I've confirmed this by dumping connection tracking to see where the public DNS requests from DNSMasq are being routed, which is definitely over the WAN. If I manually move the 10.200.0.1 server to the top of the file and force DNSMasq to reread it (w/ SIGHUP), it now accesses the 10.200.0.1 server first (but still fails since it's routed over the WAN).
So either I'm missing something, or this appears to be a bug (I don't recall if things worked correctly/differently w/ 386.3_2).
Like I said, DNS is very tricky.