I was confused at the Little Snitch mention, and then reading further it just seems like a LS bug, that it only works in certain cases.
Well, seems this is the LS blog, so only confusion is why this is portrayed as a macOS bug? I'm not saying it's wrong, it's their domain not mine after all, it just doesn't seem to be justified in TFA?
The /etc/resolv.conf system is woefully inadequate. It doesn't have a concept of per-interface customization so you can't customize according to the currently active network interface. It doesn't distinguish between DNS configuration delivered by the network administrator (which can and should be changed remotely) versus set by the computer administrator. It doesn't work very well with VPNs where a specific DNS server is used for resolving addresses on that VPN.
If the OS allows the registration of a DNS proxy, and some calls bypass the proxy, it's squarely an OS bug.