If my pi is behind a VPN, do the DNS queries to DNS root servers from unbound get routed through the VPN? If not, both my VPN provider as my ISP would know the websites I'd visit, which might arguably be worse than not even running a VPN.
So, do the DNS queries get routed through my VPN?
The scenario is this:
Dns request for google.com to pi hole (from localhost or external)
Pi hole checks blacklist and cache.
Not in there? Ask the dns provider, in this case unbound.
Unbound asks the dns root root, gives com root. Unbound asks com root, gives google root. Unbound asks google root, gives ip.
So my question is whether the unbound requests to the dns roots/google go through vpn.
I'm still fairly new to this game so please be skeptical of my advice, but... I think Viscosity could be the only firework needed.
It seems to manage routing very effectively at a granular level and is pretty straightforward. You can download the configuration of your chosen provider VPN, plug it into viscosity, then play with the settings—one of which is specifying the DNS for the vpn connection (use vpn's settings, ignore vpn's setting and specify your own....).
I just started playing with this and I've only checked results using dnsleak, but so far the results have shown Viscosity does what it says. Regardless of the merits or reasons for either option, it lets me chose my own DNS server or the VPN's for a given connection.