Manually provided DNS server addresses are higher priority than DHCP's

With the recent revelation of DNS server security issues, many have expressed a desire to use DNS servers they know to be secure rather than the servers specified by their routers via DHCP, which often are those of a particular ISP.

When you manually enter a DNS server address in Mac OS X Leopard's Network preference pane, the manually entered address(es) appear below any DHCP-provided addresses (which are shown in grey as they are unchangeable), leading one to assume that DHCP-provided addresses always have priority over any a user may specify.

However, a check of the /etc/resolv.conf file generated by Mac OS X shows that in fact user-provided DNS addresses will supercede any provided by DHCP.

As an example, if your router promotes itself as a DHCP server, its IP address, say "192.168.0.253," will appear, greyed out, in the Network->Advanced->DNS preferences pane.

If you then add, say, OpenDNS' addresses of "208.67.222.222" and "208.67.220.220," the preferences window will show:

192.168.0.253 (greyed out)
208.67.222.222
208.67.220.220

But the generated /etc/resolv.conf will show the order Mac OS X will actually reference the servers is:

nameserver 208.67.222.222
nameserver 208.67.220.220
nameserver 192.168.0.253

While this is non-intuitive, given how the addresses are displayed in the preference pane, it is exactly the way a user would hope things would work - allowing one to specify DNS servers to be used in lieu of any a router provides, especially handy if the router propagates the address of a DNS server that is having issues, that is untrusted or is simply overloaded or offline.