How to fix DNS leak issue with OpenVPN in Ubuntu

Because connecting to VPN doesn't actually mean your PC is not leaking the DNS info to your ISP.

With ever growing valuable personal data collection by even the biggest tech giants like Google, Facebook, Microsoft, etc., it is imperative to safeguard your internet privacy. ISPs also can record your internet usage details. Thankfully, VPN service costs have come down significantly and so subscribing to a decent service like NordVPN, ExpressVPN, CyberGhost, etc. has become reasonably affordable.

These top VPN companies are rock solid, trustworthy, and provide end-to-end encryption. Your privacy is secured if you choose an excellent VPN service. Unfortunately, there is a bigger hidden problem even when you are using a good service. It’s the DNS leak.

No matter which VPN service you are using, if you are using OpenVPN to connect to your VPN service, chances are that your PC is already revealing your actual IP address due to improper network configuration.

CAUTION: Please don’t rush through the article, and follow the article at your own risk. Read the article in its entirety, and follow the steps carefully. The tutorial worked 100% on our test computer and several users have responded positively. There are also users for whom the guide didn’t work due to varying network settings between the systems. Uninstalling resolvconf completely should solve the problem for them.

What is DNS Leak?

A DNS leak indicates a security flaw that allows DNS requests to be revealed to internet service provider’s DNS servers, notwithstanding the VPN service to attempt to conceal them. In simple terms, it’s as good as not using a VPN service. It is a huge problem and must be addressed immediately if at all one is serious about hiding the identity.

Checking DNS Leak

Some websites offer free DNS leak check. One of the best-sophisticated ones I recommend is linked below:

DNS Leaktest

With the VPN service connected, go to their webpage. You may see that it says Hello IP address with location info. It is basic info which may give you an impression that everything is OK. To make an in-depth test, click on the “Extended Test.”

Checking for DNS Leak
Checking for DNS Leak

Test Results
Test Results

In a few seconds, you should see a report of the test which shows IP, Hostname, ISP, and Country. If you see your internet service provider name in the ISP section along with Hostname having your IP address, then it’s confirmed that your PC is leaking DNS! For example in my test PC (above screenshot) without the DNS fix, it was completely revealing my ISP and location though it is connected to the NordVPN service via OpenVPN.

Fixing DNS Leak in Ubuntu, Linux Mint, and elementary OS

This guide is tested to be working 100% in Ubuntu 18.04 LTS but should work without any issues in Ubuntu 17.04, and derivatives like Linux Mint, and elementary OS too. Start with disconnecting the VPN and continue with Part 1 and Part 2 instructions.

Part 1: Installing dnscrypt-proxy

DNS encrypt Proxy is a powerful networking tool that helps in DNS traffic encryption and authentication. It supports DNS-over-HTTPS (DoH) and DNSCrypt. It can force outgoing connections to use TCP. Additionally, it can block malware and other unwanted content. It is compatible with all DNS services.

Step 1) Launch ‘Terminal’. You can use Ctrl+Alt+T keyboard shortcut in Ubuntu.

Step 2) To make sure you don’t have an outdated version of dnscrypt-proxy, run this command:

sudo apt-get purge dnscrypt-proxy

Step 3) Copy and paste the following commands in the terminal and press enter.

sudo add-apt-repository ppa:shevchuk/dnscrypt-proxy && \
sudo apt update && \
sudo apt install dnscrypt-proxy

Step 4) Restart the services using the commands:

sudo systemctl restart NetworkManager
sudo systemctl restart dnscrypt-proxy

Part 2: Configuring resolv.conf

Step 1) Install resolv.conf by entering the command as follows:

sudo apt install resolvconf
sudo resolvconf -i

Step 2) Next step is to make the Network Manager use the default settings for managing the resolv.conf file by editing the conf file. Proceed to copy and paste the below commands into the Terminal to edit the conf file.

sudo nano /etc/NetworkManager/NetworkManager.conf

Step 3) You will see an editor in the Terminal. Carefully, use the arrow keys to navigate to the first line and then copy & paste the following line below the first line that says [main].

Editing NetworkManager Conf
Editing NetworkManager Conf

dns=default

After editing the file, it should look something like this:

[main]
dns=default

plugins=ifupdown,keyfile

[ifupdown]
managed=false

[device]
wifi.scan-rand-mac-address=no

Step 4) While in the editor, press CTRL X to exit the editor. Enter ‘Y’ to save and then press Enter to overwrite the file.

Step 5) Finally restart the services:

sudo systemctl stop systemd-resolved

sudo systemctl disable systemd-resolved

sudo systemctl restart network-manager

sudo systemctl restart dnscrypt-proxy

Step 6) Close all browsers, connect to your VPN service, and then go DNSleaktest page. If everything went well, you should not see your ISP Name leaked in the new test. For example, my test PC connected to NordVPN server shows QuadraNet ISP which is different from my actual provider (Spectrum).

DNS Leak Test
DNS Leak Test

UPDATE:

Some users have experienced a loss of internet after the change in settings. Try the following to completely remove resolvconf.

OPTION 1: Enter the following command:

sudo apt autoremove resolvconf

OPTION 2:

It looks like the default DNS is getting misconfigured. Thanks to BananaSam (in the comment below) for providing the link.

Proceed as follows:

1. Launch Terminal.

2. Enter the following command and hit enter.

nano gedit /etc/systemd/resolved.conf

3. Replace #DNS with DNS=8.8.8.8

4. Press Ctrl X and then enter Y to save the file.

5. Restart the computer.

That’s it! How did the tutorial work for you? Do let us know your feedback in the comments below.

Kiran Kumar
Hi there! I'm Kiran Kumar, founder of FOSSLinux.com. I'm an avid Linux lover and enjoy hands-on with new promising distros. Currently, I'm using Ubuntu as a daily driver and run several other distros such as Fedora, Solus, Manjaro, Debian, and some new ones on my test PC and virtual machines. I have a day job as an Engineer, and this website is one of my favorite past time activities especially during Winter ;). When I'm not writing for FOSSLinux, I'm seen biking and hiking on scenic trails. Hope you enjoy using this website as much as I do writing for it. Feedback from readers is something that inspires me to do more, and spread Linux love!. If you find a time, drop me an email or feedback from the 'Contact' page. Or simply leave a comment below if you found this article useful. Have a good day!

23 COMMENTS

      • I have the same issue I have an internet connection but the connect icon is outlined in red and unclickable post using this tutorial. I have since tried reverting the changes and uninstalling dnscrypt proxy to no avail.

  1. I have no internet after following these steps exactly. No internet after rebooting, no internet after reversing steps and rebooting again.

  2. Yeah, this has broken my internet too. I wish I read the comments first…

    Please update this article; I think it’s doing more harm than good.

        • Your update doesn’t resolve the issue. the internet goes out for good as soon dnscrypt-proxy is installed and restared. There is no way to even continue with step 2 if things are screwed up in step 1. Your ‘update’ is at the very end of step 2, but it does no good anyways! Your bold claim that this “100% works” and yet clearly doesn’t, is still doing more harm than good

  3. Thanks a lot, I am using OpenVPN to connect to Nord on Linux Mint, and there was DNS leak using that method, (unlike connecting through terminal using Nord’s app). Your article fixed that.

  4. Fixed internet issue, and found another solution using ‘openresolv’.

    Background: I’m using a NordVPN .ovpn file to connect via VPN and I was getting DNS leaks on Ubuntu 18.04. I tried the ‘openresolv’ solution and my DNS/internet died. Also I’m an Ubuntu and vpn noob.

    To fix my DNS/Internet I removed resolvconf: sudo apt install resolvconf

    I then restarted my PC.

    I then installed ‘openresolv’: apt-get install openresolv nscd unbound

    No restart needed fortunately, and I was alreadly VPNed in.

    Resolved, fixed.

    • A tip. Make sure you have downloaded the openresolv file and placed it into an accessible folder, prior making the changes so you have access to it for a clean re-installation should your network connection fail. Then you can go to the folder you saved openresolv within and run sudo apt install resolvconf from a Terminal to restore your network connection without dramas.

  5. My internet got killed even after attempting the ‘fix’ mentioned in the article. It only got fixed after I removed resolvconf using ‘sudo apt autoremove resolvconf’. But the strange thing is there was no more DNS leaking. Oh well, I will take it.

  6. I think Ubuntu 18.04 is different, well for my computer using nordvpn. Resolv-conf didn’t work for me and openresolv didn’t really work that well, leaks were sporadic for some reason, but I found systemd-resolved worked but being a newbie I had some trouble but sharing my fix –>

    Removed resolvconf (apparently it got superseded with systemd-resolved):
    sudo apt autoremove resolvconf

    Installed systemd-resolved:
    sudo apt install openvpn-systemd-resolved

    Made sure the service systemd-resolved was started:
    systemctl enable systemd-resolved.service
    systemctl start systemd-resolved.service

    Installed openresolv (don’t know if it’s needed, noob here):
    apt-get install openresolv nscd unbound

    Added to the .ovpn client file the following lines:
    script-security 2
    setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    up /etc/openvpn/scripts/update-systemd-resolved
    down /etc/openvpn/scripts/update-systemd-resolved
    down-pre

    edit the following sysctl.conf file from terminal, Once you have this file opened, look for the line that contains net.ipv4.ip_forward. If this line is commented, remove the # sign at the front of the line (if it is not commented then you have another issue). Save the file and then restart your OpenVPN server instance. Also press ctrl+s to save, and ctrl+x to close that instance:
    sudo nano /etc/sysctl.conf

    Worked for me finally, and in a stable manner so far. The fix could be different for others, so far there is no straight answer sadly :(. Peace 🙂

    Sources:
    https://askubuntu.com/questions/1032476/ubuntu-18-04-no-dns-resolution-when-connected-to-openvpn
    https://github.com/jonathanio/update-systemd-resolved

  7. I try all and it donesn’t work don’t have connection. I have Just try to uninstall and change documents but nothing change

  8. When you counsel readers to enter a DNS address, why on earth would you instruct them to give GOOGLE’s address? Google a monopolistic organisation, known to be working to take over the web, lying to Congress, collaborating with other big players to censor free speech, etc. etc. Wake up young man, if you want readers to take you seriously

  9. Having gone through all of these instructions, I find these as with all other supposed solutions to Linux inability to effectively stop DNS Leaks, are a smoke screen. Designed to frustrate Linux users and drive them back to Windows and Apple. Shame on you.

  10. How do I reverse the Main settings. I mean delete all this crap because that is connecting me to google DNS which is 1000% being used for advertisement. and if I connect to other DNS the ping time goes from 80 ms before to 500 ms after doing this process. can you please guide me to a way that would take me back to the default settings

  11. I am unable to connect to the internet even after following the suggested edits at the end of the tutorial. Can you please take this offline to prevent further damage?

  12. The directions in this article work with Linux Mint 19.1 Tessa (I’m using ProtonVPN servers)… as long as you enable packet forwarding for IPv4 before you install dnscrypt-proxy:

    1) sudo nano /etc/sysctl.conf
    2) Uncomment (remove the #) on the line: net.ipv4.ip_forward=1
    3) Ctrl-S
    4) Ctrl-X

    No more leakage. Thanks!

    • Sheesh, seems that IPv6 will leak DNS information despite all this. Try running the tests on ipleak. net. The workaround for this is to disable all network traffic except through your VPN tunnel (tun0) using ufw (sudo apt install ufw):

      # Restrict to tun0
      sudo ufw reset
      sudo ufw default deny incoming
      sudo ufw default deny outgoing
      sudo ufw allow out on tun0 from any to any
      sudo ufw enable

      # Unrestricted
      sudo ufw reset
      sudo ufw default deny incoming
      sudo ufw default allow outgoing
      sudo ufw enable

      I like to add these to ~/.bash_aliases, for instance:

      alias firewallup=’sudo ufw reset && sudo ufw default deny incoming && sudo ufw default deny outgoing && sudo ufw allow out on tun0 from any to any && sudo ufw enable’
      alias firewalldown=’sudo ufw reset && sudo ufw default deny incoming && sudo ufw default allow outgoing && sudo ufw enable’

      This works as a good kill-switch too in-case your VPN connection drops.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

STAY CONNECTED

24,726FansLike
164FollowersFollow

LATEST ARTICLES

Create a ClamAV Antivirus Live USB drive, and how to use it

Antivirus Live CD or USB drives come in handy at times when your computer is infected with a virus and other malware. Here is how you can create a ClamAV Live USB drive to scan and remove the malware from a computer.