I was using Nmap through a VPN and so I expected that all traffic would flow through the VPN.
I was using Wireshark to monitor ppp0 (the connection between my VPN IP address and the remote host).
I was using - among other commands - nmap -sL which very quickly resolves IPs into hostnames for remote hosts (should, of course, the remote hosts have been named).
My /etc/resolv.conf file showed my VPN's two DNS servers, then my ISPs three DNS servers.
The command (for example) nmap -sL 18.104.22.168-22.214.171.124 would mean that thousands of scans are done very quickly.
ppp0 showed that the nmap was using all five DNS servers. This was not necessarily leakage as such because it was my VPN IP which was calling my ISP's DNSes (rather than my 'real' IP calling them) but, even so, this was not behavior I expected.
There are two solutions. First, specifically with nmap, use its --dns-servers command to allocate specific DNS servers.
The other more general option is to comment out all non-VPN DNS servers in /etc/resolv.conf. I assume that nmap (and, for that matter, any other program) can call from that file to select their DNSes.
Any comments or questions would be appreciated.