block outside dns, fix dns leak ubuntu 18.04

networking 18.04 network-manager dns vpn

17,649

Solution 1

If you have a DNS leak as indicated by checking on browserleaks.com or dnsleaktest.com,

Shut off your VPN connection
Attempt to undo any .conf file edits you've wasted time already making. If you've been trying a lot of various suggestions, your best good chance might be to do a fresh install and ensure you've also installed networkmanager-openvpn-gnome as Ubuntu does not have VPN config importing provided by default.

Install dnsmasq

sudo apt update
sudo apt install dnsmasq

Disable resolved

sudo systemctl disable systemd-resolved.service
sudo systemctl stop systemd-resolved.service

Remove /etc/resolv.conf and create a new one:

sudo rm /etc/resolv.conf
sudo nano /etc/resolv.conf

Enter into your empty .conf file:

nameserver 127.0.0.1`         that's all!

Press Ctrl+x to exit the editor. Enter y to save and then press Enter to overwrite your new resolv.conf file.
Edit your NetworkManager.conf file
```
sudo nano /etc/NetworkManager/NetworkManager.conf 
```
and add the following:
```
dns=dnsmasq 
```
beneath the lines (navigate using arrow keys), [main] and plugins=ifupdown, keyfile exactly like this with the new line added.
```
[main]
plugins=ifupdown, keyfile
dns=dnsmasq
```
Press Ctrl+x to exit the editor. Enter y to save and then press Enter to overwrite the file.
Back out of the terminal, and reboot the system and check your dnsleak test site for results.

With thanks to Anonymous VPN whose solutions for Leaks on Ubuntu/Network Manager seem well researched and successful. THEY WORK and when no other solutions worked for me, these did. The above shown solution works for Ubuntu 17.x and 18.04 LTS. See his other solution for 16.04 LTS.

Solution 2

I suggest using dnscrypt.

First install it:

sudo apt install dnscrypt-proxy

By default it will listens to 127.0.2.1 port 53.

Edit your VPN or any other connection you like and set 127.0.2.1 as its DNS server, using CLI you can run:

nmcli connection modify [CONNECTION-NAME] ipv4.dns 127.0.2.1

And just in case block the out going DNS requests:

sudo ufw deny out 53

And make sure firewall is enabled:

sudo ufw enable

Solution 3

I've been struggling with this exact issue for 2 days before finding the solution that worked for me here: https://unix.stackexchange.com/a/470940

TL;DR

$ cd /etc/NetworkManager/system-connections

This is where connections created with the Network Manager are stored.

$ sudo nmcli connection modify <vpn-connection-name> ipv4.dns-priority -42

Simple command to modify the connection config file. Could be done manually as well but this way I believe is easier.

$ sudo service network-manager restart

Make the changes apply to your system.

Basically copy pasted from the link above, credit to original author.

If your system doesn't know nmcli, or adding connections using the Network Manager GUI throws an error, I recommend this link

Now for what's less of an explanation and more of a comment (rather clueless myself).

I tried many of the solutions including resolv.conf, dnsmasq and dnscrypt, all of which lead to my internet being blocked either entirely or when the vpn connection was turned off. None of them solved the dns leak, according to dnsleaktest.com. If any of these are attempted, each step along the way should be tracked as to be able to reverse them in case of an undesired outcome. It took me no short amount of time to fix my broken internet time and time again without, guess what, internet. I am not claiming that these solutions do not work period, I very possibly made some mistake somewhere.
The solution I linked to however has the imho huge advantage that it does not mess with general network settings, but just with the one connection you're modifying.

Next, block-outside-dns, as mentioned in here before, is a windows only solution and threw some sort of not recognized option error on my ubuntu system.

Using ovpn cli commands did not solve the leak either for me.

The link I provided mentions an explanation (here) about some version inconsistencies that are fixed in ubuntu 18.10, maybe someone with more expertise on this topic cares to explain further. If that's true, LTS users will have to wait for april next year afaik.

Lastly I want to point out that for residents of countries with internet censorship, dns leak poses a heavy issue because allowing the local isp access to your traffic can and will lead to censored domains being blocked despite being connected to a vpn. So for future visits to china etc., this is something you want to take care of beforehand.

Hope this helps.

17,649

Pobe

I'm only doing this because of the badge. This does not even work. Does it need to be longer?

Updated on September 18, 2022

Comments

Pobe over 1 year

Using dns leak test while under my VPN I discovered that it was leaking. I've setup my VPN via NetworkManager and it works properly except for the leak.

First, i've tried to add block-outside-vpn to the configuration file except that under /etc/NetworkManager/system-connections it does not follow the same format. I couldn't find the doc on how to properly write one for dns leaks.

Also, using Ubuntu 18.04 resolv.conf does not work like before, all the other answers are based on that.

Briefly, how to block outside dns (leak) using Network Manager configuration files or the GUI?
- Admin over 5 years
  
  block-outside-vpn typically is only a Windows OpenVPN connection option. Fixing the DNS "leakage" would be to use a specific DNS server that exists only on the other side of the VPN. What were the DNS Leak Test results you saw? (they're relevant)
Pobe over 5 years

My DNS is still leaking as per DNS leak test. It's also important to mention that disabling VPN while ufw is enabled would render internet unavailable (blocked port 53).
Pobe over 5 years

What would be the line in config.ovpn that would block the leak? Do you have an example of that? (The solution above did not work for me).
Ravexina over 5 years

Run this command: nmcli connection modify [CONNECTION-NAME] ipv4.ignore-auto-dns yes see if it helps.
GoodGuyNick over 5 years

I've tested this solution on a VM and all worked. Then I've tried on a main machine and saw dns from VPN and dns leak. On a VM nameserver changed from 127.0.2.1 to 192.168.122.1 and when I connect to VPN in a resolv.conf I see two nameserver lines, one with 192.168.122.1 and the other with VPNs dns but on a main machine I always see two lines search lan nameserver 127.0.1.1.
Admin over 5 years

Or you could just edit your connection in a GUI and get the same result: open edit window for your connection=>IPv4/IPv6 Settings, change "Method" to "Automatic, addresses only" and add yours "DNS servers".
Admin almost 5 years

@GoodGuyNick 's method via the GUI did not work for me. I have googled this problem all day, and only the "prepend domain-name-servers" trick has worked. Hallelujah for this answer. Everything else I tried (including the GUI for DNS servers) was getting overwritten and not surviving reboot.
Mehdi almost 5 years

how can I do what without network manager? just put the dns in /etc/network/interfaces?
Admin almost 3 years

no reboot needed, but run systemctl restart NetworkManager.service