How to fix DNS leak issue with OpenVPN in Ubuntu

Because connecting to VPN doesn't actually mean your PC is not leaking the DNS info to your ISP.

With ever-growing valuable personal data collection by even the biggest tech giants like Google, Facebook, Microsoft, etc., it is imperative to safeguard your internet privacy. ISPs also can record your internet usage details. Thankfully, VPN service costs have come down significantly, and so subscribing to a decent service like NordVPN, ExpressVPN, CyberGhost, etc. has become reasonably affordable.

These top VPN companies are rock solid, trustworthy, and provide end-to-end encryption. Your privacy is secured if you choose an excellent VPN service. Unfortunately, there is a bigger hidden problem even when you are using an excellent service. It’s the DNS leak.

No matter which VPN service you are using, if you are using OpenVPN to connect to your VPN service, chances are that your PC is already revealing your actual IP address due to improper network configuration.

CAUTION: Please don’t rush through the article, and follow the article at your own risk. Read the article in its entirety, and follow the steps carefully. The tutorial worked 100% on our test computer, and several users have responded positively. There are also users for whom the guide didn’t work due to different network settings between the systems. Uninstalling resolvconf completely should solve the problem for them.

What is DNS Leak?

A DNS leak indicates a security flaw that allows DNS requests to be revealed to internet service provider’s DNS servers, thus notwithstanding the VPN service to attempt to conceal them. In simple terms, it’s as good as not using a VPN service. It is a huge problem and must be addressed immediately if at all, one is serious about hiding the identity.

Checking DNS Leak

Some websites offer free DNS leak check. One of the best-sophisticated ones I recommend is linked below:

DNS Leaktest

With the VPN service connected, go to their webpage. You may see that it says Hello IP address with location info. It is basic info which may give you the impression that everything is OK. To make an in-depth test, click on the “Extended Test.”

Checking for DNS Leak
Checking for DNS Leak

Test Results
Test Results

In a few seconds, you should see a report of the test which shows IP, Hostname, ISP, and Country. If you see your internet service provider name in the ISP section along with Hostname having your IP address, then it’s confirmed that your PC is leaking DNS! For example, in my test PC (above screenshot) without the DNS fix, it was utterly revealing my ISP and location though it is connected to the NordVPN service via OpenVPN.

Fixing DNS Leak in Ubuntu, Linux Mint, and elementary OS

This guide is tested to be working 100% in Ubuntu 18.04 LTS but should work without any issues in Ubuntu 17.04, and derivatives like Linux Mint, and elementary OS too. Start with disconnecting the VPN and continue with Part 1 and Part 2 instructions.

Part 1: Installing dnscrypt-proxy

DNS encrypt Proxy is a powerful networking tool that helps in DNS traffic encryption and authentication. It supports DNS-over-HTTPS (DoH) and DNSCrypt. It can force outgoing connections to use TCP. Additionally, it can block malware and other unwanted content. It is compatible with all DNS services.

Step 1) Launch ‘Terminal’. You can use the Ctrl+Alt+T keyboard shortcut in Ubuntu.

Step 2) To make sure you don’t have an outdated version of dnscrypt-proxy, run this command:

sudo apt-get purge dnscrypt-proxy

Step 3) Copy and paste the following commands in the terminal and press enter.

sudo add-apt-repository ppa:shevchuk/dnscrypt-proxy && \
sudo apt update && \
sudo apt install dnscrypt-proxy

Step 4) Restart the services using the commands:

sudo systemctl restart NetworkManager
sudo systemctl restart dnscrypt-proxy

Part 2: Configuring resolv.conf

Step 1) Install resolv.conf by entering the command as follows:

sudo apt install resolvconf
sudo resolvconf -i

Step 2) The next step is to make the Network Manager use the default settings for managing the resolv.conf file by editing the conf file. Proceed to copy and paste the below commands into the Terminal to edit the conf file.

sudo nano /etc/NetworkManager/NetworkManager.conf

Step 3) You will see an editor in the Terminal. Carefully, use the arrow keys to navigate to the first line and then copy & paste the following line below the first line that says [main].

Editing NetworkManager Conf
Editing NetworkManager Conf

dns=default

After editing the file, it should look something like this:

[main]
dns=default

plugins=ifupdown,keyfile

[ifupdown]
managed=false

[device]
wifi.scan-rand-mac-address=no

Step 4) While in the editor, press CTRL X to exit the editor. Enter ‘Y’ to save and then press Enter to overwrite the file.

Step 5) Finally restart the services:

sudo systemctl stop systemd-resolved

sudo systemctl disable systemd-resolved

sudo systemctl restart network-manager

sudo systemctl restart dnscrypt-proxy

Step 6) Close all browsers, connect to your VPN service, and then go DNSleaktest page. If everything went well, you should not see your ISP Name leaked in the new test. For example, my test PC connected to the NordVPN server shows QuadraNet ISP, which is different from my actual provider (Spectrum).

DNS Leak Test
DNS Leak Test

UPDATE:

Some users have experienced a loss of internet after the change in settings. Try the following to remove resolvconf altogether.

OPTION 1: Enter the following command:

sudo apt autoremove resolvconf

OPTION 2:

It looks like the default DNS is getting misconfigured. Thanks to BananaSam (in the comment below) for providing the link.

Proceed as follows:

1. Launch Terminal.

2. Enter the following command and hit enter.

nano gedit /etc/systemd/resolved.conf

3. Replace #DNS with DNS=8.8.8.8

4. Press Ctrl X and then enter Y to save the file.

5. Restart the computer.

That’s it! How did the tutorial work for you? Do let us know your feedback in the comments below.

Kiran Kumar
Hi there! I'm Kiran Kumar, founder of FOSSLinux.com. I'm an avid Linux lover and enjoy hands-on with new promising distros. Currently, I'm using Ubuntu as a daily driver and run several other distros such as Fedora, Solus, Manjaro, Debian, and some new ones on my test PC and virtual machines. I have a day job as an Engineer, and this website is one of my favorite past time activities, especially during Winter ;). When I'm not writing for FOSSLinux, I'm seen biking and hiking on scenic trails. I hope you enjoy using this website as much as I do writing for it. Feedback from readers is something that inspires me to do more and spread Linux love!. If you find a time, drop me an email or feedback from the 'Contact' page. Or simply leave a comment below if you found this article useful. Have a good day!

26 COMMENTS

      • I have the same issue I have an internet connection but the connect icon is outlined in red and unclickable post using this tutorial. I have since tried reverting the changes and uninstalling dnscrypt proxy to no avail.

  1. I have no internet after following these steps exactly. No internet after rebooting, no internet after reversing steps and rebooting again.

  2. Yeah, this has broken my internet too. I wish I read the comments first…

    Please update this article; I think it’s doing more harm than good.

        • Your update doesn’t resolve the issue. the internet goes out for good as soon dnscrypt-proxy is installed and restared. There is no way to even continue with step 2 if things are screwed up in step 1. Your ‘update’ is at the very end of step 2, but it does no good anyways! Your bold claim that this “100% works” and yet clearly doesn’t, is still doing more harm than good

  3. Thanks a lot, I am using OpenVPN to connect to Nord on Linux Mint, and there was DNS leak using that method, (unlike connecting through terminal using Nord’s app). Your article fixed that.

  4. Fixed internet issue, and found another solution using ‘openresolv’.

    Background: I’m using a NordVPN .ovpn file to connect via VPN and I was getting DNS leaks on Ubuntu 18.04. I tried the ‘openresolv’ solution and my DNS/internet died. Also I’m an Ubuntu and vpn noob.

    To fix my DNS/Internet I removed resolvconf: sudo apt install resolvconf

    I then restarted my PC.

    I then installed ‘openresolv’: apt-get install openresolv nscd unbound

    No restart needed fortunately, and I was alreadly VPNed in.

    Resolved, fixed.

    • A tip. Make sure you have downloaded the openresolv file and placed it into an accessible folder, prior making the changes so you have access to it for a clean re-installation should your network connection fail. Then you can go to the folder you saved openresolv within and run sudo apt install resolvconf from a Terminal to restore your network connection without dramas.

  5. My internet got killed even after attempting the ‘fix’ mentioned in the article. It only got fixed after I removed resolvconf using ‘sudo apt autoremove resolvconf’. But the strange thing is there was no more DNS leaking. Oh well, I will take it.

  6. I think Ubuntu 18.04 is different, well for my computer using nordvpn. Resolv-conf didn’t work for me and openresolv didn’t really work that well, leaks were sporadic for some reason, but I found systemd-resolved worked but being a newbie I had some trouble but sharing my fix –>

    Removed resolvconf (apparently it got superseded with systemd-resolved):
    sudo apt autoremove resolvconf

    Installed systemd-resolved:
    sudo apt install openvpn-systemd-resolved

    Made sure the service systemd-resolved was started:
    systemctl enable systemd-resolved.service
    systemctl start systemd-resolved.service

    Installed openresolv (don’t know if it’s needed, noob here):
    apt-get install openresolv nscd unbound

    Added to the .ovpn client file the following lines:
    script-security 2
    setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    up /etc/openvpn/scripts/update-systemd-resolved
    down /etc/openvpn/scripts/update-systemd-resolved
    down-pre

    edit the following sysctl.conf file from terminal, Once you have this file opened, look for the line that contains net.ipv4.ip_forward. If this line is commented, remove the # sign at the front of the line (if it is not commented then you have another issue). Save the file and then restart your OpenVPN server instance. Also press ctrl+s to save, and ctrl+x to close that instance:
    sudo nano /etc/sysctl.conf

    Worked for me finally, and in a stable manner so far. The fix could be different for others, so far there is no straight answer sadly :(. Peace 🙂

    Sources:
    https://askubuntu.com/questions/1032476/ubuntu-18-04-no-dns-resolution-when-connected-to-openvpn
    https://github.com/jonathanio/update-systemd-resolved

    • !!!!!!!!!!!!!!!! ———————- LOOK HERE ———————- !!!!!!!!!!!!!!!!
      IF YOU HAVE NO INTERNET ANYMORE (LOL)

      Hello dear linux fellows; I’ve tried this tutorial myself and it did deactivate internet of my computer.

      IF YOUR ISSUE IS FOR SURE CAUSED BY THIS TUTO AND ONLY IF SO, you may proceed Sam’s fix
      To be precise the issue is your computer access the internet network but can no longer emit DNS requests.

      I permit my self to post this comment because the working solution is just above, posted by Sam K to who I owe the paternity of the solution.

      You will may be not able to install openvpn-systemd-resolved because of connection issues, then follow the next steps of Sam issue fix as unless you’ve deleted it openvpn-systemd-resolved is quasi-surely already installed.

      Between the different issue fix proposed through all the comment, the one working on april 12 2020 is this one.

      Have a nice day, I hope I avoided you some hours of research, thank you Sam, Peace guys

  7. I try all and it donesn’t work don’t have connection. I have Just try to uninstall and change documents but nothing change

  8. When you counsel readers to enter a DNS address, why on earth would you instruct them to give GOOGLE’s address? Google a monopolistic organisation, known to be working to take over the web, lying to Congress, collaborating with other big players to censor free speech, etc. etc. Wake up young man, if you want readers to take you seriously

  9. Having gone through all of these instructions, I find these as with all other supposed solutions to Linux inability to effectively stop DNS Leaks, are a smoke screen. Designed to frustrate Linux users and drive them back to Windows and Apple. Shame on you.

  10. How do I reverse the Main settings. I mean delete all this crap because that is connecting me to google DNS which is 1000% being used for advertisement. and if I connect to other DNS the ping time goes from 80 ms before to 500 ms after doing this process. can you please guide me to a way that would take me back to the default settings

  11. I am unable to connect to the internet even after following the suggested edits at the end of the tutorial. Can you please take this offline to prevent further damage?

  12. The directions in this article work with Linux Mint 19.1 Tessa (I’m using ProtonVPN servers)… as long as you enable packet forwarding for IPv4 before you install dnscrypt-proxy:

    1) sudo nano /etc/sysctl.conf
    2) Uncomment (remove the #) on the line: net.ipv4.ip_forward=1
    3) Ctrl-S
    4) Ctrl-X

    No more leakage. Thanks!

    • Sheesh, seems that IPv6 will leak DNS information despite all this. Try running the tests on ipleak. net. The workaround for this is to disable all network traffic except through your VPN tunnel (tun0) using ufw (sudo apt install ufw):

      # Restrict to tun0
      sudo ufw reset
      sudo ufw default deny incoming
      sudo ufw default deny outgoing
      sudo ufw allow out on tun0 from any to any
      sudo ufw enable

      # Unrestricted
      sudo ufw reset
      sudo ufw default deny incoming
      sudo ufw default allow outgoing
      sudo ufw enable

      I like to add these to ~/.bash_aliases, for instance:

      alias firewallup=’sudo ufw reset && sudo ufw default deny incoming && sudo ufw default deny outgoing && sudo ufw allow out on tun0 from any to any && sudo ufw enable’
      alias firewalldown=’sudo ufw reset && sudo ufw default deny incoming && sudo ufw default allow outgoing && sudo ufw enable’

      This works as a good kill-switch too in-case your VPN connection drops.

  13. Solution found to Systemd problems.

    Like many others, when systemd is disabled, it disables all internet access on the system. The only was I got it back on was a timeshift restore.

    Then found ProtonVPN have a way round but you have to execute every time from the Terminal, then I use the “kill switch” commands with Firewall to only allow tunnel0 (VPN) connection. Every resource I can find only displays IP addresses & DNS details from the VPN.

    * ProtonVPN’s solution (Use Option B): https: //protonvpn.com/support/linux-vpn-setup/
    * Activating/Deactivating the firewall with regards to tunnel0

    NOTE: Once the VPN is connected, if you close the terminal window it will end the VPN session. To connect next time you must allow all traffic from the firewall commands (or turn off firewall), then only allow traffic from tunnel0 again.

    TO CHECK FOR DNS LEAKS:
    https: //whoer.net/
    https: //www.dnsleaktest.com/ (use extended test)

    So much for Open Source and Privacy, you can’t post to this website while using s VPN. Good job i;ve got scripts setup for these commands.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

STAY CONNECTED

23,533FansLike
365FollowersFollow
16SubscribersSubscribe

LATEST ARTICLES

Top 10 Reasons to use Xfce as your Desktop Environment

There are many choices for desktop environments for Linux based operating systems. Mainly, you can install any DE of your choice on most of the Linux based distributions, even if they are not offered as a package officially. In our recent articles, we discussed the best of KDE and Cinnamon. In this article, we wish to present to you the top reasons why you should consider Xfce as your desktop environment.

The 10 Best Linux Network Monitoring Tools

Having total control over your network is essential to prevent programs from overusing your network resources and slowing down the overall performance. This is why you should install a network monitoring tool on your system, giving you a visual overview of everything that's happening on your network. Networking Tools are like swiss-knife for the system administrators for troubleshooting system issues.

How to install CouchPotato on Ubuntu

Downloading movies and copying them over to your home server can get frustrating, especially if you are doing it daily! What if you have an option to download videos automatically, quickly, and above all with excellent quality. CouchPotato allows you to download movies easily once they are available and released automatically.

Top 20 Rsync Examples in Linux

The Rsync (remote sync) command is a Linux/Unix utility used to synchronize and copy files and directories either locally or remotely. Most Linux geeks use Rsync to mirror, backup or migrate data across folders, across disks and networks. One notable feature with the Rsync command is that it uses the "delta transfer algorithm."

Setting up NFS Server on Ubuntu Server

We have put together a detailed step-by-step tutorial that will guide you on how to install and set up NFS Server on Ubuntu so you too can start sharing data with other client systems. It is divided into sections, the first part discussing how to set up the host server and the second part showing you how to set up the client-side. For this tutorial, we will be using Ubuntu 20.04 LTS.

Crontab in Linux Explained With Examples

Crontab is the Linux equivalent of the Window's Task Scheduler. It can help you set up a task to run automatically at a regular...

MUST READ

Linux is growing faster than ever. As per the latest report, there is a drop in the Windows 10 market share for the first time, and Linux's market share has improved to 2.87% this month. Most of the features in the list were rolled out in the Pop OS 20.04. Let's a detailed look into the new features, how to upgrade, and a ride through video.
Elementary OS 5.1 Hera has received a point release with a handful of new features and bug fixes, and we will be reviewing the significant changes in this article. For those new to elementary OS, this Ubuntu-based Linux distribution uses their inhouse built Pantheon desktop environment and AppCenter.

6 Essential Command-Line Utilities Every Linux User Should Know

Last week, we shared with you several "cool and fun" commands to get comfortable and confident with the Linux command-line. In our quest to further aid Linux users with mastery of the command line, or CLI, we present you with a variety of command-line utilities essential for all Linux users, regardless of proficiency level.

Installing an updatable Manjaro Linux on a USB Flash Drive

In this tutorial, we will show step by step how to install a Manjaro on a USB flash. For those new to this distro, it is a light-weight distro that is based on Arch Linux. Arch Linux is known for its simplistic approach and is typically made for Linux pros, but Manjaro bridges the gap between user-friendliness and rock-solid performance.

Guide to watching Disney+ on Linux

Disney Plus or Disney+ is an on-demand entertainment streaming service in which you should see the content produced by Disney Studios, Star Wars, Marvel, Pixar, and National Geographic. The service was launched on the 12th of November 2019.

10 Best Video Editing Software for Linux

This article is for all the Linux users out there who are looking for video editors to create their own professional videos, which can range from short documentaries to even movies.