I understand the focus on the VPN and other factors in trying to understand the mysterious changes to DNS settings. I haven’t waded through this thread in any detail, and may be off base as a result, but felt it might be useful to point out that altering DNS settings is a common behavior of certain malware. It would be interesting to know what the “fixed ip” address is that is cropping up for DNS. You may very well be getting hijacked. Combine this with the various CA’s failures in maintaining a secure certificate system, and you could have a very scary scenario involving DNS redirection, legitimate appearing (to you and your browser) rouge certificates and very nasty MITM attacks. More likely though are the usual fare of botnet recruitment, ad insertion, and general messing with your system.
Just thought I’d give you something to keep you up at night ; ) Good Luck !