@MNGrrl -
"- DNS lookups are not encrypted -- even if you are using a VPN, they typically are sent in the clear over the 'default' routing rule. Thus, what you're looking for from within the VPN is leaked over clear channel."
This somewhat depends on *what sort* of VPN you're using and how it is configured. This functionality is how some of the 'netflix/hulu' vpn's actually function.
In quite a few cases, the 'open internet vpn' providers *do not* reroute the DNS traffic through the tunnel, but override the default resolver. The queries may still go out over the untunnelled path, but they end up going to some other dns server, the overall affect of this depends on where the pervasive monitoring is being done.
What this *can* do for you is handle local resolver requests, wrapping them in TLS and sending them to one of 4 "privacy servers". What this can do for you if your skillset were sufficient is provide you with a local DNS stub on your local network, wrapping all local queries similarly. On the local wire, your queries would still be readable. But between the stub and the 'privacy server' they would indeed be encrypted.
Once more, this depends on overall configuration of the systems on the network and what one wishes to accomplish.
Great Gaping Hole at the moment is that there are only 4 of these 'privacy' servers. Far far far too easy to compromise that.. even without handling the servers themselves - one could watch both ends of their connections - TLS in -> UDP out to the root servers perhaps? I'm sure that someone could come up with correlative data. In any case, it is a *very* small step forward of sorts. And forward we should be going.
It all depends on how much tinfoil one wishes to wrap around one's hat.
(since we don't have a tinfoil hat icon)