block outside dns, fix dns leak ubuntu 18.04
Solution 1
If you have a DNS leak as indicated by checking on browserleaks.com or dnsleaktest.com,
Shut off your VPN connection
Attempt to undo any .conf file edits you've wasted time already making. If you've been trying a lot of various suggestions, your best good chance might be to do a fresh install and ensure you've also installed networkmanager-openvpn-gnome as Ubuntu does not have VPN config importing provided by default.
-
Install dnsmasq
sudo apt update sudo apt install dnsmasq
-
Disable resolved
sudo systemctl disable systemd-resolved.service sudo systemctl stop systemd-resolved.service
-
Remove /
etc/resolv.conf
and create a new one:sudo rm /etc/resolv.conf sudo nano /etc/resolv.conf
-
Enter into your empty
.conf
file:nameserver 127.0.0.1` that's all!
Press Ctrl+x to exit the editor. Enter y to save and then press Enter to overwrite your new
resolv.conf
file.-
Edit your NetworkManager.conf file
sudo nano /etc/NetworkManager/NetworkManager.conf
and add the following:
dns=dnsmasq
beneath the lines (navigate using arrow keys), [main] and plugins=ifupdown, keyfile exactly like this with the new line added.
[main] plugins=ifupdown, keyfile dns=dnsmasq
Press Ctrl+x to exit the editor. Enter y to save and then press Enter to overwrite the file.
Back out of the terminal, and reboot the system and check your dnsleak test site for results.
With thanks to Anonymous VPN whose solutions for Leaks on Ubuntu/Network Manager seem well researched and successful. THEY WORK and when no other solutions worked for me, these did. The above shown solution works for Ubuntu 17.x and 18.04 LTS. See his other solution for 16.04 LTS.
Solution 2
I suggest using dnscrypt
.
First install it:
sudo apt install dnscrypt-proxy
By default it will listens to 127.0.2.1
port 53
.
Edit your VPN or any other connection you like and set 127.0.2.1
as its DNS server, using CLI you can run:
nmcli connection modify [CONNECTION-NAME] ipv4.dns 127.0.2.1
And just in case block the out going DNS requests:
sudo ufw deny out 53
And make sure firewall is enabled:
sudo ufw enable
Solution 3
I've been struggling with this exact issue for 2 days before finding the solution that worked for me here: https://unix.stackexchange.com/a/470940
TL;DR
$ cd /etc/NetworkManager/system-connections
This is where connections created with the Network Manager are stored.
$ sudo nmcli connection modify <vpn-connection-name> ipv4.dns-priority -42
Simple command to modify the connection config file. Could be done manually as well but this way I believe is easier.
$ sudo service network-manager restart
Make the changes apply to your system.
Basically copy pasted from the link above, credit to original author.
If your system doesn't know nmcli, or adding connections using the Network Manager GUI throws an error, I recommend this link
Now for what's less of an explanation and more of a comment (rather clueless myself).
I tried many of the solutions including resolv.conf, dnsmasq and dnscrypt, all of which lead to my internet being blocked either entirely or when the vpn connection was turned off. None of them solved the dns leak, according to dnsleaktest.com.
If any of these are attempted, each step along the way should be tracked as to be able to reverse them in case of an undesired outcome. It took me no short amount of time to fix my broken internet time and time again without, guess what, internet. I am not claiming that these solutions do not work period, I very possibly made some mistake somewhere.
The solution I linked to however has the imho huge advantage that it does not mess with general network settings, but just with the one connection you're modifying.
Next, block-outside-dns, as mentioned in here before, is a windows only solution and threw some sort of not recognized option error on my ubuntu system.
Using ovpn cli commands did not solve the leak either for me.
The link I provided mentions an explanation (here) about some version inconsistencies that are fixed in ubuntu 18.10, maybe someone with more expertise on this topic cares to explain further. If that's true, LTS users will have to wait for april next year afaik.
Lastly I want to point out that for residents of countries with internet censorship, dns leak poses a heavy issue because allowing the local isp access to your traffic can and will lead to censored domains being blocked despite being connected to a vpn. So for future visits to china etc., this is something you want to take care of beforehand.
Hope this helps.
Related videos on Youtube
Pobe
I'm only doing this because of the badge. This does not even work. Does it need to be longer?
Updated on September 18, 2022Comments
-
Pobe over 1 year
Using dns leak test while under my VPN I discovered that it was leaking. I've setup my VPN via NetworkManager and it works properly except for the leak.
First, i've tried to add
block-outside-vpn
to the configuration file except that under/etc/NetworkManager/system-connections
it does not follow the same format. I couldn't find the doc on how to properly write one for dns leaks.Also, using Ubuntu 18.04 resolv.conf does not work like before, all the other answers are based on that.
Briefly, how to block outside dns (leak) using Network Manager configuration files or the GUI?
-
Admin over 5 years
block-outside-vpn
typically is only a Windows OpenVPN connection option. Fixing the DNS "leakage" would be to use a specific DNS server that exists only on the other side of the VPN. What were the DNS Leak Test results you saw? (they're relevant)
-
-
Pobe over 5 yearsMy DNS is still leaking as per DNS leak test. It's also important to mention that disabling VPN while ufw is enabled would render internet unavailable (blocked port 53).
-
Pobe over 5 yearsWhat would be the line in config.ovpn that would block the leak? Do you have an example of that? (The solution above did not work for me).
-
Ravexina over 5 yearsRun this command:
nmcli connection modify [CONNECTION-NAME] ipv4.ignore-auto-dns yes
see if it helps. -
GoodGuyNick over 5 yearsI've tested this solution on a VM and all worked. Then I've tried on a main machine and saw dns from VPN and dns leak. On a VM
nameserver
changed from127.0.2.1
to192.168.122.1
and when I connect to VPN in aresolv.conf
I see twonameserver
lines, one with192.168.122.1
and the other with VPNs dns but on a main machine I always see two linessearch lan nameserver 127.0.1.1
. -
Admin over 5 yearsOr you could just edit your connection in a GUI and get the same result: open edit window for your connection=>IPv4/IPv6 Settings, change "Method" to "Automatic, addresses only" and add yours "DNS servers".
-
Admin almost 5 years@GoodGuyNick 's method via the GUI did not work for me. I have googled this problem all day, and only the "prepend domain-name-servers" trick has worked. Hallelujah for this answer. Everything else I tried (including the GUI for DNS servers) was getting overwritten and not surviving reboot.
-
Mehdi almost 5 yearshow can I do what without network manager? just put the dns in /etc/network/interfaces?
-
Admin almost 3 yearsno
reboot
needed, but runsystemctl restart NetworkManager.service