btw just to be clear to anybody here, this is no longer the case, dns is 100% used over the vpn only, the only time its not is for the initial lookup of the endpoint you are connecting to (which is then cached in hosts file). If the vpn goes down name queries do not go over the lan (iptables set not to allow port 53), once the vpn tunnel is re-established (by looking up the endpoint using hosts file) name server queries are then resumed over the vpn tunnel, zero leakage.