Of late, Ubuntu has a distasteful habit of running a sorry local DNS proxy (dnsmasq) rather than talking the nameserver it gets via dhcp directly. If they were going to run a local nameserver there are many better choices (<a href=https://unbound.net>unbound</a> comes immediately to mind) than dnsmasq, which is really intended to be a swiss army knife for pxe, tftp, ra, and dhcp server (doing none of these notably well) in the same sort of environment where one might run <a href=http://www.busybox.net>busybox</a> or <a href=http://www.landley.net/toybox/>toybox</a> (for those who like a non-viral license).
Anyway, back to Ubuntu and dnsmasq. You can fix this behavior by commenting out “dns=dnsmasq” in /etc/NetworkManager/NetworkManager.conf - after that you can either reboot or “sudo restart network-manager” depending on how lucky you feel.
It appears that the reboot will also make dnsmasq not get started, a rare instance of the end user being surprised by the right thing happening automatically.
Update 20150307: Jared tells me “you’re forgetting that dnsmasq will strip edns stuff including dnssec too”. I had been thinking that dnsmasq did dnssec now, but clearly I’m confusing it with some other poorly implemented DNS MITM (can’t say recurser because, well, dnsmasq doesn’t recurse, ha!)