I'd stay off Cisco if i could ** cough **
OpenDNS mostly works at the domain level but I dont see how it is able to figure out someone is bypassing it.
this is strange .... perhaps it is because the Ubuntu OS is not running its own dnscrypt client ?
also, the router should not be hindering CS VPN pre-connects ... as these dnscrypt traffic are obfustcated udp/tcp packets ..,, and that point away from OpenDNS resolver addresses.
Is it possible that the ISP is also employing OpenDNS at the enterprise/edge ?
Such that it is deployed to all its customers' CPE or transparent proxying of all DNS queries is being performed by them ?
I have experienced certain IP ranges on my network that have a mysterious OpenDNS ''administrator'' configuring it for kid-safe usage.
On most occasions the culprit was my ISP ; other times it was another OpenDNS user.
Having to use a previous IP still-stuck-with-these-prior OpenDNS ''administrative'' policies. xD Kinda understand how frustrating it can get when another OpenDNS user has forgotten to ensure that his network's IP changes reflected back to OpenDNS (for the same policies to apply to the newer IPs ).
Btw OpenDNS would not suffice unless your other family members' smart-devices are rooted and configured to strictly resolve via OpenDNS.
non-rooted/non-custom Androids by default fallback on GoogleDNS.