Re: Don't get this...
"but why would their client send keep-alive messages outside the VPN"
The three potential VALID reasons I can think of (there maybe more):
- they maybe recording DNS/HTTPS response metrics for quality control/debug purposes. This may or may not have reached production quality code.
- it maybe used to determine network reachability. i.e. reliably determining if you have connectivity to DNS inside the tunnel/outside the tunnel and if failing over to another NordVPN server site is required. If this is the case, it's not well thought through - they should own the DNS zone not just make one up...
- it maybe used to determine if you are using NordVPN DNS servers or another providers to identify if you are potentially leaking browsing details via DNS outside of NordVPN
The less valid reason is that it was a test feature that was accidentally deployed to production without full awareness from operational staff. This would also explain the apparent confusion.