DNS config is confusing when using VPN

So I installed ProtonVPN WireGuard profile on my GL-AXT1800. This comes with VPN-provided DNS (called NetShield) which does basically the same thing as AdGuard Home, but it’s bundled with the VPN service.

It seems the Slate AX advertises itself as a DNS resolver over DHCP to the connected devices. This was surprising to me at first, but it looks like this is the “standard” in OpenWrt. I always assumed the DNS servers configured in the settings would be forwarded via DHCP to the clients, but that’s not what’s happening.
A tiny feature suggestion here - it would be good to have a simple option to forward the upstream DNS via DHCP to the devices without Slate acting as a DNS middleman, because from my research this change looks like a rather involved process and not a simple drop-down button switch.

Anyway, my Slate AX DNS is set to Automatic, and it retrieved 2 DNS servers from Ethernet and 1 DNS server from WireGuard.

Now, how do I choose which server is going to be used by the Slate DNS resolver? I want to make sure it always 100% ignores the DNS servers coming from ethernet, even if the VPN DNS is down. Yet, there seems to be zero configuration available here - I cannot choose DNS server priority, allow/disallow DNS servers from a particular source, etc. And there is no indication as to which upstream DNS server is going to be used by the Slate resolver. Any tips how to do any of these things?

From the looks of it, the best bet seems to be to use manual DNS config and just hard-code the VPN DNS server. That’s gonna get annoying quickly though when I switch from one VPN profile to another and each time I will have to go update the hard-coded DNS server. Am I missing something?

The Block Non-VPN Traffic option may be helpful.
If DNS is set to Automatic, the VPN interface will only use the DNS from WireGuard. When the Block Non-VPN Traffic option is enabled, data sent over the Ethernet interface will be blocked. In other words, the DNS for Ethernet is still in the settings, but no data will be sent.

So when the VPN is not available, do you want to block internet or use another manually set up DNS?

From Ethernet DHCP, the router obtained one ISP DNS server and also one Google DNS server. If I use Block Non-VPN Traffic, is there a guarantee the router will not send any requests to the ISP/Google DNS servers via the VPN interface? Because that’s another thing the router could do - perhaps with “Block Non-VPN Traffic” enabled, it won’t send requests via ethernet interface, but it might still use ISP/Google DNS servers, except it will talk to them via VPN connection first? It is just not very clear which DNS server is the router going to use.

So when the VPN is not available, do you want to block internet or use another manually set up DNS?

It depends. If the VPN is not available I would say block the internet. If just the VPN DNS is not available for some reason, perhaps using a manually configured fallback is okay too.

There is no guarantee that no traffic will be sent. It only blocks requests from the client. If you have not manually installed any applications on your router, there should be no traffic sent to ISP/Google DNS servers when VPN is enabled.

In this case, you should disable Block Non-VPN Traffic and set up DNS for the interface on the LuCI ->Network → Interfaces → WAN → Advanced Settings (this feature is not yet supported by the GL UI).

See GL-AXT1800: One DNS server per VLAN

Best regards