DNS is name resolution. The internet doesn’t know what Google.com is. It only knows IP addresses. So when you go to a site the request has to go to a resolver to figure out what the IP address is and then direct you to it. When half of the internet breaks because cloudflare is down, that’s DNS. DNS doesn’t reveal content but it does reveal intent. Where are you going? Gmail? Porn Hub? When you connect to WiFi a lot of things happen in the background in order. Gets network settings. System processes and apps immediately start resolving domains. Finally your VPN app finish starting and take over routing. If DNS is not explicitly forced into the VPN, those early lookups go to whatever DNS the WiFi handed out. Hotel. Airport. That is the leak.

DNS over HTTP only if have right software / browser