OpenVPN clients' DNS, unwanted ip routes added by dhclient

I've set up an OpenVPN gateway that provides access to a large cloud of IoT devices. Each device has a unique certificate, and upon connection, I grab the "common name" from the cert to make a local DNS name, and publish that via dnsmasq. And for a while, it looks great.

   default via 10.6.64.1 dev ens5 proto dhcp src 10.6.64.15 metric 100
   10.6.0.0/18 dev tun0 proto kernel scope link src 10.6.0.1
   10.6.64.0/24 dev ens5 proto kernel scope link src 10.6.64.15 metric 100
   10.6.64.1 dev ens5 proto dhcp scope link src 10.6.64.15 metric 100

(10.6.0.0/18 and 10.6.64.0/24 do not overlap, though they look like they might. I wanted to change these but, sigh, "reasons". Anyway...)

But then, some time later, an IP route is created that specifically sends the VPN client IP to the default eth.

   default via 10.6.64.1 dev ens5 proto dhcp src 10.6.64.15 metric 100
   10.6.0.0/18 dev tun0 proto kernel scope link src 10.6.0.1
   10.6.0.2 via 10.6.64.1 dev ens5 proto dhcp src 10.6.64.15 metric 100
   10.6.64.0/24 dev ens5 proto kernel scope link src 10.6.64.15 metric 100
   10.6.64.1 dev ens5 proto dhcp scope link src 10.6.64.15 metric 100

"proto dhcp" leads me to believe that dhclient did this. If I remove the connected VPN client's name from DNS, this doesn't happen. My conclusion is, dhclient is surfing my DNS provider (dnsmasq), finding these names, and routing their IPs to ens5 because they wouldn't otherwise get to the default gateway.

How can I prevent this?? Thanks for any help.

I have solved my problem.

It turns out our host is misconfigured in the cloud provider. It's sending DHCP renewals claiming that 10.6.0.2 is a DNS provider. It should be 10.6.64.2, but it doesn't matter, because the host is configured to use 8.8.8.8 (Google public DNS).