This is actually trying too hard to prevent DNS leaks, breaking normal expected use of split DNS. Let systemd-resolved handle sending our DNS queries to the right place instead.
It's true that NetworkManager is trying to emulate the behavior of
wg-quick here, and wg-quick uses 'resolvconf -x' to attempt to set
"exclusive" DNS. But with systemd-resolved this is implemented by
. routing domain for the Wireguard interface. That is a
really big hammer already, since Domain=. overrides +DefaultRoute,
ensuring most DNS queries can only go to other interfaces with Domain= .
NetworkManager follows systemd-resolved's recommended convention by only
applying Domain=. to other "privacy VPNs" since 1.26.6. Setting DNS
priority only prevents domain-specific "leaks", which are almost
always desired. For example, it prevents using both the Wireguard VPN
and a corporate VPN at the same time.
Note that all of the justification behind !688 (closed) applies here as well.
Fixes #585 (closed)