From a technical standpoint, there seems to be absolutely no reason to put cruft like this in systemd. If the network isn't configured (or configured correctly), there's no point in making sure DNS "always works". It has more potential to leak information at the wrong moment than to fix anything the user/administrator did wrong.
Seriously, what the hell? This is one of the most blatant instances of lazy crosscutting leakage, but the general trend is why I've moved net horizon isolation more towards full vms rather than relying on local firewall rules.
Probably the best way to get this "fixed" is to propose that resolved fall back to being a full recursive resolver. Poettering won't be able to resist adding more scope.
if it is systemd-resolvd, then privacy oriented solution would be to not use google, cloudflare or even the non profits. It would be to just have list of 13 DNS root servers and do recursive name resolutions (i.e. what caching resolvers were meant to do).
But the absolute correct behavior would be a hard failure, because if you have IP properly assigned and routing setup but no DNS, then you either purposefully set it up that way and don't want DNS to work, or you have misconfigured network setup which you should be aware about it, without having to troubleshoot why some machines don't have working Internet while others seem perfectly fine.
