-# prevent dns leaks, openvpn runs as root, allow root to
-# make non-vpn dns calls, but not transmission which does not run as root.
-# openvpn needs this in order to lookup the ip of the vpn server
-# before it's connected to it. We could hardcode the vpn ips in the
-# config, but our vpn service provider gave us dns, so the ip might change.
--A OUTPUT -p udp -m udp --dport 53 -m owner --uid-owner root -j ACCEPT
+# prevent dns leaks. note: if we needed openvpn to do initial dns, we could
+# add -m owner --uid-owner root to the output rules, but we just connect to
+# ip addresses.
+-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT