openvpn does not change DNS serveropenvpn not changing IP addressDNS issues on Ubuntu 12.04 with OpenVPNProblem with BIND916.10 fail to resolve DNSopenvpn and DNSOpenVPN loses DNS after suspendOpenVPN client not getting DNS informationUbuntu server 16.04 can't ping outside IP's or domains or do updates

Unstable manifolds of a Morse function give a CW complex

Has Darth Vader ever worn a different suit than his traditional black one?

How does a human body spend energy on its organs?

What does "teleport anywhere in the world" mean?

What is a recently obsolete computer storage device that would be significantly difficult to extract data from?

Why not send a Gaia-like mission to Mars?

What is 上がり refering to in this sentence?

Need for MOSFET in encoder circuit?

Best fighting style for a pacifist

Origin of Andaman and Nicobar islands

Question and answer sefer for shluchim

How to differentiate landing on top of an object from falling down the side?

Scientific Illustration: Non-photorealistic rendering of sparse wireframe with dashed/dotted lines for backfacing areas - Blender 2.80

What Situations is Saving a Game to Main Memory for?

Why is torque a cross product?

Why are there different explanations of microwave oven heating, eg dipole alignment vs absorption? Is it quantum vs non-quantum?

Why is a living creature being frozen in carbonite in “The Mandalorian” so common when it seemed so risky in “The Empire Strikes Back?”

Is the worst version of the accusations against President Trump impeachable?

Did Russia's economy boom between 1999 and 2013?

Do solvers use GUB/SOS1 branching?

How can I justify this without determining the determinant?

Draw the Ionising Radiation Hazard Symbol

Logic inside a 3 or 4 way light switch?

Old story about a man with tattoos that told stories



openvpn does not change DNS server


openvpn not changing IP addressDNS issues on Ubuntu 12.04 with OpenVPNProblem with BIND916.10 fail to resolve DNSopenvpn and DNSOpenVPN loses DNS after suspendOpenVPN client not getting DNS informationUbuntu server 16.04 can't ping outside IP's or domains or do updates






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;









0


















I'm trying to set up a VPN on Ubuntu 18.04.3. Following the suggestions on this question, I added the following lines to the end of the .ovpn file:



script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf


I also ran



sudo rm -i /etc/resolv.conf

sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf


to fix /etc/resolv.conf.



Then I created the VPN under VPN Settings -> Add VPN -> Open from File, and used the .ovpn file.



However, when I turn the VPN on, the computer still uses the local DNS server, rather than that of the VPN.



Here are the results of various diagnostics, with the VPN on and off:



---------------------------VPN off:------------------------------



cat /run/resolvconf/resolv.conf:



No such file or directory



cat /run/systemd/resolve/resolv.conf:



nameserver 192.168.0.1
nameserver fd08:b55d:5917:0:3e89:94ff:fe31:c148
search Home


cat /run/systemd/resolve/stub-resolv.conf:



nameserver 127.0.0.53
options edns0
search Home


systemd-resolve --status:



Global
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test

Link 2 (wlp59s0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 192.168.0.1
fd08:b55d:5917:0:3e89:94ff:fe31:c148
DNS Domain: Home


cat /etc/network/interfaces:



 # interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback


cat /etc/netplan/*.yaml:



# Let NetworkManager manage all devices on this system
network:
version: 2
renderer: NetworkManager


----------------------------VPN on:------------------------------



cat /run/resolvconf/resolv.conf:



No such file or directory


cat /run/systemd/resolve/resolv.conf:



nameserver 192.168.0.1
nameserver fd08:b55d:5917:0:3e89:94ff:fe31:c148
nameserver 10.34.16.1
search Home


cat /run/systemd/resolve/stub-resolv.conf:



nameserver 127.0.0.53
options edns0
search Home


systemd-resolve --status:



Global
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test

Link 8 (tun0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 10.34.16.1

Link 2 (wlp59s0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 192.168.0.1
fd08:b55d:5917:0:3e89:94ff:fe31:c148
DNS Domain: Home


cat /etc/network/interfaces:



# interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback


cat /etc/netplan/*.yaml:



# Let NetworkManager manage all devices on this system
network:
version: 2
renderer: NetworkManager


EDIT:



ls -al /sbin/resolvconf outputs ls: cannot access '/sbin/resolvconf': No such file or directory.



With the VPN off, host -v www.ebay.com outputs:



Trying "www.ebay.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12728
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.ebay.com. IN A

;; ANSWER SECTION:
www.ebay.com. 60 IN CNAME slot9428.ebay.com.edgekey.net.
slot9428.ebay.com.edgekey.net. 60 IN CNAME e9428.b.akamaiedge.net.
e9428.b.akamaiedge.net. 60 IN A 104.78.177.101

Received 122 bytes from 192.168.0.1#53 in 14 ms
Trying "e9428.b.akamaiedge.net"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 881
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;e9428.b.akamaiedge.net. IN AAAA

;; AUTHORITY SECTION:
b.akamaiedge.net. 996 IN SOA n0b.akamaiedge.net. hostmaster.akamai.com. 1568976151 1000 1000 1000 1800

Received 101 bytes from 192.168.0.1#53 in 12 ms
Trying "e9428.b.akamaiedge.net"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30223
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;e9428.b.akamaiedge.net. IN MX

;; AUTHORITY SECTION:
b.akamaiedge.net. 1000 IN SOA n0b.akamaiedge.net. hostmaster.akamai.com. 1568976180 1000 1000 1000 1800

Received 101 bytes from 192.168.0.1#53 in 13 ms


With the VPN on:



Trying "www.ebay.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7665
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.ebay.com. IN A

;; ANSWER SECTION:
www.ebay.com. 60 IN CNAME slot9428.ebay.com.edgekey.net.
slot9428.ebay.com.edgekey.net. 60 IN CNAME e9428.b.akamaiedge.net.
e9428.b.akamaiedge.net. 60 IN A 104.78.177.101

Received 122 bytes from 192.168.0.1#53 in 15 ms
Trying "e9428.b.akamaiedge.net"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1414
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;e9428.b.akamaiedge.net. IN AAAA

;; AUTHORITY SECTION:
b.akamaiedge.net. 999 IN SOA n0b.akamaiedge.net. hostmaster.akamai.com. 1568976217 1000 1000 1000 1800

Received 101 bytes from 192.168.0.1#53 in 12 ms
Trying "e9428.b.akamaiedge.net"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6348
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;e9428.b.akamaiedge.net. IN MX

;; AUTHORITY SECTION:
b.akamaiedge.net. 994 IN SOA n0b.akamaiedge.net. hostmaster.akamai.com. 1568976219 1000 1000 1000 1800

Received 101 bytes from 192.168.0.1#53 in 19 ms


EDIT 2: After running sudo apt-get install resolvconf, the output of host -v www.ebay.com, with the VPN on, becomes:



Trying "www.ebay.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9033
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.ebay.com. IN A

;; ANSWER SECTION:
www.ebay.com. 60 IN CNAME slot9428.ebay.com.edgekey.net.
slot9428.ebay.com.edgekey.net. 59 IN CNAME e9428.b.akamaiedge.net.
e9428.b.akamaiedge.net. 59 IN A 104.78.177.101

Received 122 bytes from 127.0.0.53#53 in 57 ms
Trying "e9428.b.akamaiedge.net"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19716
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;e9428.b.akamaiedge.net. IN AAAA

Received 40 bytes from 127.0.0.53#53 in 15 ms
Trying "e9428.b.akamaiedge.net"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48908
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;e9428.b.akamaiedge.net. IN MX

Received 40 bytes from 127.0.0.53#53 in 21 ms


EDIT 3:



The output of cat /etc/resolv.conf and cat /run/resolvconf/resolv.conf is the same, and is:



# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.

nameserver 127.0.0.53
search Home


EDIT 4: Calling grep -r '192.168.0.1' /etc/ returns:



/etc/sane.d/saned.conf:#192.168.0.1
/etc/sane.d/saned.conf:#192.168.0.1/29
/etc/sane.d/magicolor.conf:# net 192.168.0.1
/etc/avahi/hosts:# 192.168.0.1 router.local


With the VPN turned on via the Network Manager GUI (i.e., from the top menu), the output of systemd-resolve --status is:



Global
DNS Domain: Home
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test

Link 13 (tun0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 10.34.40.1

Link 2 (wlp59s0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 192.168.0.1
fd08:b55d:5917:0:3e89:94ff:fe31:c148
DNS Domain: Home


Calling the VPN via sudo openvpn seems to work correctly: The output of systemd-resolve --status is:



Global
DNS Servers: 10.34.48.1
DNS Domain: Home
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test

Link 14 (tun0)
Current Scopes: none
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no

Link 2 (wlp59s0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 192.168.0.1
fd08:b55d:5917:0:3e89:94ff:fe31:c148
DNS Domain: Home


dnsleak.com shows the VPN's DNS server, and host -v www.ebay.com gets its data from 10.34.48.1.



Two interesting output lines from the initialization of the VPN from the terminal are:



/etc/openvpn/update-resolv-conf tun0 1500 1553 10.34.48.8 255.255.252.0 init
dhcp-option DNS 10.34.48.1


It looks like maybe the openvpn command is changing the dhcp-option, but the network manager is not.










share|improve this question



























  • Actually... it does. DNS Servers: 10.34.16.1 Each link in SystemD's ResolveD can carry its own assigned DNS servers, it uses them in the order shown from first link to last (first come first tested) through to the end to run DNS queries. It won't change the DNS entries in resolv.conf, no, but that's becuase the resolv.conf points at systemd-resolved which handles DNS queries outbound internally to itself.

    – Thomas Ward
    Sep 19 at 16:27











  • Thanks for copying over all of the data from our previous discussion. Show me ls -al /sbin/resolvconf and with vpn down/up host -v www.ebay.com.

    – heynnema
    Sep 19 at 21:12











  • I added the two other outputs. It looks like it's still not using the new DNS server because the 192.168.0.1 is still first, so I'm still getting DNS leaks.

    – Sam Jaques
    Sep 20 at 10:47











  • Make sure to start comments to me with @heynnema or I'll surely miss them. Thanks for the updates to my questions. Install this sudo apt-get install resolvconf, then reboot, and retry the systemd-resolve --status command with vpn up. Recheck the host -v command, and check for DNS leaks. Report back.

    – heynnema
    Sep 20 at 14:22












  • @ThomasWard actually, it's not working correctly, as seen by the host -v command, and the dns leaks.

    – heynnema
    Sep 20 at 14:24

















0


















I'm trying to set up a VPN on Ubuntu 18.04.3. Following the suggestions on this question, I added the following lines to the end of the .ovpn file:



script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf


I also ran



sudo rm -i /etc/resolv.conf

sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf


to fix /etc/resolv.conf.



Then I created the VPN under VPN Settings -> Add VPN -> Open from File, and used the .ovpn file.



However, when I turn the VPN on, the computer still uses the local DNS server, rather than that of the VPN.



Here are the results of various diagnostics, with the VPN on and off:



---------------------------VPN off:------------------------------



cat /run/resolvconf/resolv.conf:



No such file or directory



cat /run/systemd/resolve/resolv.conf:



nameserver 192.168.0.1
nameserver fd08:b55d:5917:0:3e89:94ff:fe31:c148
search Home


cat /run/systemd/resolve/stub-resolv.conf:



nameserver 127.0.0.53
options edns0
search Home


systemd-resolve --status:



Global
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test

Link 2 (wlp59s0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 192.168.0.1
fd08:b55d:5917:0:3e89:94ff:fe31:c148
DNS Domain: Home


cat /etc/network/interfaces:



 # interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback


cat /etc/netplan/*.yaml:



# Let NetworkManager manage all devices on this system
network:
version: 2
renderer: NetworkManager


----------------------------VPN on:------------------------------



cat /run/resolvconf/resolv.conf:



No such file or directory


cat /run/systemd/resolve/resolv.conf:



nameserver 192.168.0.1
nameserver fd08:b55d:5917:0:3e89:94ff:fe31:c148
nameserver 10.34.16.1
search Home


cat /run/systemd/resolve/stub-resolv.conf:



nameserver 127.0.0.53
options edns0
search Home


systemd-resolve --status:



Global
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test

Link 8 (tun0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 10.34.16.1

Link 2 (wlp59s0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 192.168.0.1
fd08:b55d:5917:0:3e89:94ff:fe31:c148
DNS Domain: Home


cat /etc/network/interfaces:



# interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback


cat /etc/netplan/*.yaml:



# Let NetworkManager manage all devices on this system
network:
version: 2
renderer: NetworkManager


EDIT:



ls -al /sbin/resolvconf outputs ls: cannot access '/sbin/resolvconf': No such file or directory.



With the VPN off, host -v www.ebay.com outputs:



Trying "www.ebay.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12728
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.ebay.com. IN A

;; ANSWER SECTION:
www.ebay.com. 60 IN CNAME slot9428.ebay.com.edgekey.net.
slot9428.ebay.com.edgekey.net. 60 IN CNAME e9428.b.akamaiedge.net.
e9428.b.akamaiedge.net. 60 IN A 104.78.177.101

Received 122 bytes from 192.168.0.1#53 in 14 ms
Trying "e9428.b.akamaiedge.net"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 881
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;e9428.b.akamaiedge.net. IN AAAA

;; AUTHORITY SECTION:
b.akamaiedge.net. 996 IN SOA n0b.akamaiedge.net. hostmaster.akamai.com. 1568976151 1000 1000 1000 1800

Received 101 bytes from 192.168.0.1#53 in 12 ms
Trying "e9428.b.akamaiedge.net"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30223
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;e9428.b.akamaiedge.net. IN MX

;; AUTHORITY SECTION:
b.akamaiedge.net. 1000 IN SOA n0b.akamaiedge.net. hostmaster.akamai.com. 1568976180 1000 1000 1000 1800

Received 101 bytes from 192.168.0.1#53 in 13 ms


With the VPN on:



Trying "www.ebay.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7665
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.ebay.com. IN A

;; ANSWER SECTION:
www.ebay.com. 60 IN CNAME slot9428.ebay.com.edgekey.net.
slot9428.ebay.com.edgekey.net. 60 IN CNAME e9428.b.akamaiedge.net.
e9428.b.akamaiedge.net. 60 IN A 104.78.177.101

Received 122 bytes from 192.168.0.1#53 in 15 ms
Trying "e9428.b.akamaiedge.net"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1414
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;e9428.b.akamaiedge.net. IN AAAA

;; AUTHORITY SECTION:
b.akamaiedge.net. 999 IN SOA n0b.akamaiedge.net. hostmaster.akamai.com. 1568976217 1000 1000 1000 1800

Received 101 bytes from 192.168.0.1#53 in 12 ms
Trying "e9428.b.akamaiedge.net"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6348
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;e9428.b.akamaiedge.net. IN MX

;; AUTHORITY SECTION:
b.akamaiedge.net. 994 IN SOA n0b.akamaiedge.net. hostmaster.akamai.com. 1568976219 1000 1000 1000 1800

Received 101 bytes from 192.168.0.1#53 in 19 ms


EDIT 2: After running sudo apt-get install resolvconf, the output of host -v www.ebay.com, with the VPN on, becomes:



Trying "www.ebay.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9033
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.ebay.com. IN A

;; ANSWER SECTION:
www.ebay.com. 60 IN CNAME slot9428.ebay.com.edgekey.net.
slot9428.ebay.com.edgekey.net. 59 IN CNAME e9428.b.akamaiedge.net.
e9428.b.akamaiedge.net. 59 IN A 104.78.177.101

Received 122 bytes from 127.0.0.53#53 in 57 ms
Trying "e9428.b.akamaiedge.net"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19716
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;e9428.b.akamaiedge.net. IN AAAA

Received 40 bytes from 127.0.0.53#53 in 15 ms
Trying "e9428.b.akamaiedge.net"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48908
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;e9428.b.akamaiedge.net. IN MX

Received 40 bytes from 127.0.0.53#53 in 21 ms


EDIT 3:



The output of cat /etc/resolv.conf and cat /run/resolvconf/resolv.conf is the same, and is:



# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.

nameserver 127.0.0.53
search Home


EDIT 4: Calling grep -r '192.168.0.1' /etc/ returns:



/etc/sane.d/saned.conf:#192.168.0.1
/etc/sane.d/saned.conf:#192.168.0.1/29
/etc/sane.d/magicolor.conf:# net 192.168.0.1
/etc/avahi/hosts:# 192.168.0.1 router.local


With the VPN turned on via the Network Manager GUI (i.e., from the top menu), the output of systemd-resolve --status is:



Global
DNS Domain: Home
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test

Link 13 (tun0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 10.34.40.1

Link 2 (wlp59s0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 192.168.0.1
fd08:b55d:5917:0:3e89:94ff:fe31:c148
DNS Domain: Home


Calling the VPN via sudo openvpn seems to work correctly: The output of systemd-resolve --status is:



Global
DNS Servers: 10.34.48.1
DNS Domain: Home
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test

Link 14 (tun0)
Current Scopes: none
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no

Link 2 (wlp59s0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 192.168.0.1
fd08:b55d:5917:0:3e89:94ff:fe31:c148
DNS Domain: Home


dnsleak.com shows the VPN's DNS server, and host -v www.ebay.com gets its data from 10.34.48.1.



Two interesting output lines from the initialization of the VPN from the terminal are:



/etc/openvpn/update-resolv-conf tun0 1500 1553 10.34.48.8 255.255.252.0 init
dhcp-option DNS 10.34.48.1


It looks like maybe the openvpn command is changing the dhcp-option, but the network manager is not.










share|improve this question



























  • Actually... it does. DNS Servers: 10.34.16.1 Each link in SystemD's ResolveD can carry its own assigned DNS servers, it uses them in the order shown from first link to last (first come first tested) through to the end to run DNS queries. It won't change the DNS entries in resolv.conf, no, but that's becuase the resolv.conf points at systemd-resolved which handles DNS queries outbound internally to itself.

    – Thomas Ward
    Sep 19 at 16:27











  • Thanks for copying over all of the data from our previous discussion. Show me ls -al /sbin/resolvconf and with vpn down/up host -v www.ebay.com.

    – heynnema
    Sep 19 at 21:12











  • I added the two other outputs. It looks like it's still not using the new DNS server because the 192.168.0.1 is still first, so I'm still getting DNS leaks.

    – Sam Jaques
    Sep 20 at 10:47











  • Make sure to start comments to me with @heynnema or I'll surely miss them. Thanks for the updates to my questions. Install this sudo apt-get install resolvconf, then reboot, and retry the systemd-resolve --status command with vpn up. Recheck the host -v command, and check for DNS leaks. Report back.

    – heynnema
    Sep 20 at 14:22












  • @ThomasWard actually, it's not working correctly, as seen by the host -v command, and the dns leaks.

    – heynnema
    Sep 20 at 14:24













0













0









0








I'm trying to set up a VPN on Ubuntu 18.04.3. Following the suggestions on this question, I added the following lines to the end of the .ovpn file:



script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf


I also ran



sudo rm -i /etc/resolv.conf

sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf


to fix /etc/resolv.conf.



Then I created the VPN under VPN Settings -> Add VPN -> Open from File, and used the .ovpn file.



However, when I turn the VPN on, the computer still uses the local DNS server, rather than that of the VPN.



Here are the results of various diagnostics, with the VPN on and off:



---------------------------VPN off:------------------------------



cat /run/resolvconf/resolv.conf:



No such file or directory



cat /run/systemd/resolve/resolv.conf:



nameserver 192.168.0.1
nameserver fd08:b55d:5917:0:3e89:94ff:fe31:c148
search Home


cat /run/systemd/resolve/stub-resolv.conf:



nameserver 127.0.0.53
options edns0
search Home


systemd-resolve --status:



Global
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test

Link 2 (wlp59s0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 192.168.0.1
fd08:b55d:5917:0:3e89:94ff:fe31:c148
DNS Domain: Home


cat /etc/network/interfaces:



 # interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback


cat /etc/netplan/*.yaml:



# Let NetworkManager manage all devices on this system
network:
version: 2
renderer: NetworkManager


----------------------------VPN on:------------------------------



cat /run/resolvconf/resolv.conf:



No such file or directory


cat /run/systemd/resolve/resolv.conf:



nameserver 192.168.0.1
nameserver fd08:b55d:5917:0:3e89:94ff:fe31:c148
nameserver 10.34.16.1
search Home


cat /run/systemd/resolve/stub-resolv.conf:



nameserver 127.0.0.53
options edns0
search Home


systemd-resolve --status:



Global
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test

Link 8 (tun0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 10.34.16.1

Link 2 (wlp59s0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 192.168.0.1
fd08:b55d:5917:0:3e89:94ff:fe31:c148
DNS Domain: Home


cat /etc/network/interfaces:



# interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback


cat /etc/netplan/*.yaml:



# Let NetworkManager manage all devices on this system
network:
version: 2
renderer: NetworkManager


EDIT:



ls -al /sbin/resolvconf outputs ls: cannot access '/sbin/resolvconf': No such file or directory.



With the VPN off, host -v www.ebay.com outputs:



Trying "www.ebay.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12728
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.ebay.com. IN A

;; ANSWER SECTION:
www.ebay.com. 60 IN CNAME slot9428.ebay.com.edgekey.net.
slot9428.ebay.com.edgekey.net. 60 IN CNAME e9428.b.akamaiedge.net.
e9428.b.akamaiedge.net. 60 IN A 104.78.177.101

Received 122 bytes from 192.168.0.1#53 in 14 ms
Trying "e9428.b.akamaiedge.net"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 881
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;e9428.b.akamaiedge.net. IN AAAA

;; AUTHORITY SECTION:
b.akamaiedge.net. 996 IN SOA n0b.akamaiedge.net. hostmaster.akamai.com. 1568976151 1000 1000 1000 1800

Received 101 bytes from 192.168.0.1#53 in 12 ms
Trying "e9428.b.akamaiedge.net"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30223
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;e9428.b.akamaiedge.net. IN MX

;; AUTHORITY SECTION:
b.akamaiedge.net. 1000 IN SOA n0b.akamaiedge.net. hostmaster.akamai.com. 1568976180 1000 1000 1000 1800

Received 101 bytes from 192.168.0.1#53 in 13 ms


With the VPN on:



Trying "www.ebay.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7665
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.ebay.com. IN A

;; ANSWER SECTION:
www.ebay.com. 60 IN CNAME slot9428.ebay.com.edgekey.net.
slot9428.ebay.com.edgekey.net. 60 IN CNAME e9428.b.akamaiedge.net.
e9428.b.akamaiedge.net. 60 IN A 104.78.177.101

Received 122 bytes from 192.168.0.1#53 in 15 ms
Trying "e9428.b.akamaiedge.net"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1414
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;e9428.b.akamaiedge.net. IN AAAA

;; AUTHORITY SECTION:
b.akamaiedge.net. 999 IN SOA n0b.akamaiedge.net. hostmaster.akamai.com. 1568976217 1000 1000 1000 1800

Received 101 bytes from 192.168.0.1#53 in 12 ms
Trying "e9428.b.akamaiedge.net"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6348
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;e9428.b.akamaiedge.net. IN MX

;; AUTHORITY SECTION:
b.akamaiedge.net. 994 IN SOA n0b.akamaiedge.net. hostmaster.akamai.com. 1568976219 1000 1000 1000 1800

Received 101 bytes from 192.168.0.1#53 in 19 ms


EDIT 2: After running sudo apt-get install resolvconf, the output of host -v www.ebay.com, with the VPN on, becomes:



Trying "www.ebay.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9033
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.ebay.com. IN A

;; ANSWER SECTION:
www.ebay.com. 60 IN CNAME slot9428.ebay.com.edgekey.net.
slot9428.ebay.com.edgekey.net. 59 IN CNAME e9428.b.akamaiedge.net.
e9428.b.akamaiedge.net. 59 IN A 104.78.177.101

Received 122 bytes from 127.0.0.53#53 in 57 ms
Trying "e9428.b.akamaiedge.net"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19716
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;e9428.b.akamaiedge.net. IN AAAA

Received 40 bytes from 127.0.0.53#53 in 15 ms
Trying "e9428.b.akamaiedge.net"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48908
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;e9428.b.akamaiedge.net. IN MX

Received 40 bytes from 127.0.0.53#53 in 21 ms


EDIT 3:



The output of cat /etc/resolv.conf and cat /run/resolvconf/resolv.conf is the same, and is:



# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.

nameserver 127.0.0.53
search Home


EDIT 4: Calling grep -r '192.168.0.1' /etc/ returns:



/etc/sane.d/saned.conf:#192.168.0.1
/etc/sane.d/saned.conf:#192.168.0.1/29
/etc/sane.d/magicolor.conf:# net 192.168.0.1
/etc/avahi/hosts:# 192.168.0.1 router.local


With the VPN turned on via the Network Manager GUI (i.e., from the top menu), the output of systemd-resolve --status is:



Global
DNS Domain: Home
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test

Link 13 (tun0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 10.34.40.1

Link 2 (wlp59s0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 192.168.0.1
fd08:b55d:5917:0:3e89:94ff:fe31:c148
DNS Domain: Home


Calling the VPN via sudo openvpn seems to work correctly: The output of systemd-resolve --status is:



Global
DNS Servers: 10.34.48.1
DNS Domain: Home
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test

Link 14 (tun0)
Current Scopes: none
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no

Link 2 (wlp59s0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 192.168.0.1
fd08:b55d:5917:0:3e89:94ff:fe31:c148
DNS Domain: Home


dnsleak.com shows the VPN's DNS server, and host -v www.ebay.com gets its data from 10.34.48.1.



Two interesting output lines from the initialization of the VPN from the terminal are:



/etc/openvpn/update-resolv-conf tun0 1500 1553 10.34.48.8 255.255.252.0 init
dhcp-option DNS 10.34.48.1


It looks like maybe the openvpn command is changing the dhcp-option, but the network manager is not.










share|improve this question
















I'm trying to set up a VPN on Ubuntu 18.04.3. Following the suggestions on this question, I added the following lines to the end of the .ovpn file:



script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf


I also ran



sudo rm -i /etc/resolv.conf

sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf


to fix /etc/resolv.conf.



Then I created the VPN under VPN Settings -> Add VPN -> Open from File, and used the .ovpn file.



However, when I turn the VPN on, the computer still uses the local DNS server, rather than that of the VPN.



Here are the results of various diagnostics, with the VPN on and off:



---------------------------VPN off:------------------------------



cat /run/resolvconf/resolv.conf:



No such file or directory



cat /run/systemd/resolve/resolv.conf:



nameserver 192.168.0.1
nameserver fd08:b55d:5917:0:3e89:94ff:fe31:c148
search Home


cat /run/systemd/resolve/stub-resolv.conf:



nameserver 127.0.0.53
options edns0
search Home


systemd-resolve --status:



Global
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test

Link 2 (wlp59s0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 192.168.0.1
fd08:b55d:5917:0:3e89:94ff:fe31:c148
DNS Domain: Home


cat /etc/network/interfaces:



 # interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback


cat /etc/netplan/*.yaml:



# Let NetworkManager manage all devices on this system
network:
version: 2
renderer: NetworkManager


----------------------------VPN on:------------------------------



cat /run/resolvconf/resolv.conf:



No such file or directory


cat /run/systemd/resolve/resolv.conf:



nameserver 192.168.0.1
nameserver fd08:b55d:5917:0:3e89:94ff:fe31:c148
nameserver 10.34.16.1
search Home


cat /run/systemd/resolve/stub-resolv.conf:



nameserver 127.0.0.53
options edns0
search Home


systemd-resolve --status:



Global
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test

Link 8 (tun0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 10.34.16.1

Link 2 (wlp59s0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 192.168.0.1
fd08:b55d:5917:0:3e89:94ff:fe31:c148
DNS Domain: Home


cat /etc/network/interfaces:



# interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback


cat /etc/netplan/*.yaml:



# Let NetworkManager manage all devices on this system
network:
version: 2
renderer: NetworkManager


EDIT:



ls -al /sbin/resolvconf outputs ls: cannot access '/sbin/resolvconf': No such file or directory.



With the VPN off, host -v www.ebay.com outputs:



Trying "www.ebay.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12728
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.ebay.com. IN A

;; ANSWER SECTION:
www.ebay.com. 60 IN CNAME slot9428.ebay.com.edgekey.net.
slot9428.ebay.com.edgekey.net. 60 IN CNAME e9428.b.akamaiedge.net.
e9428.b.akamaiedge.net. 60 IN A 104.78.177.101

Received 122 bytes from 192.168.0.1#53 in 14 ms
Trying "e9428.b.akamaiedge.net"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 881
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;e9428.b.akamaiedge.net. IN AAAA

;; AUTHORITY SECTION:
b.akamaiedge.net. 996 IN SOA n0b.akamaiedge.net. hostmaster.akamai.com. 1568976151 1000 1000 1000 1800

Received 101 bytes from 192.168.0.1#53 in 12 ms
Trying "e9428.b.akamaiedge.net"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30223
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;e9428.b.akamaiedge.net. IN MX

;; AUTHORITY SECTION:
b.akamaiedge.net. 1000 IN SOA n0b.akamaiedge.net. hostmaster.akamai.com. 1568976180 1000 1000 1000 1800

Received 101 bytes from 192.168.0.1#53 in 13 ms


With the VPN on:



Trying "www.ebay.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7665
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.ebay.com. IN A

;; ANSWER SECTION:
www.ebay.com. 60 IN CNAME slot9428.ebay.com.edgekey.net.
slot9428.ebay.com.edgekey.net. 60 IN CNAME e9428.b.akamaiedge.net.
e9428.b.akamaiedge.net. 60 IN A 104.78.177.101

Received 122 bytes from 192.168.0.1#53 in 15 ms
Trying "e9428.b.akamaiedge.net"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1414
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;e9428.b.akamaiedge.net. IN AAAA

;; AUTHORITY SECTION:
b.akamaiedge.net. 999 IN SOA n0b.akamaiedge.net. hostmaster.akamai.com. 1568976217 1000 1000 1000 1800

Received 101 bytes from 192.168.0.1#53 in 12 ms
Trying "e9428.b.akamaiedge.net"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6348
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;e9428.b.akamaiedge.net. IN MX

;; AUTHORITY SECTION:
b.akamaiedge.net. 994 IN SOA n0b.akamaiedge.net. hostmaster.akamai.com. 1568976219 1000 1000 1000 1800

Received 101 bytes from 192.168.0.1#53 in 19 ms


EDIT 2: After running sudo apt-get install resolvconf, the output of host -v www.ebay.com, with the VPN on, becomes:



Trying "www.ebay.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9033
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.ebay.com. IN A

;; ANSWER SECTION:
www.ebay.com. 60 IN CNAME slot9428.ebay.com.edgekey.net.
slot9428.ebay.com.edgekey.net. 59 IN CNAME e9428.b.akamaiedge.net.
e9428.b.akamaiedge.net. 59 IN A 104.78.177.101

Received 122 bytes from 127.0.0.53#53 in 57 ms
Trying "e9428.b.akamaiedge.net"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19716
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;e9428.b.akamaiedge.net. IN AAAA

Received 40 bytes from 127.0.0.53#53 in 15 ms
Trying "e9428.b.akamaiedge.net"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48908
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;e9428.b.akamaiedge.net. IN MX

Received 40 bytes from 127.0.0.53#53 in 21 ms


EDIT 3:



The output of cat /etc/resolv.conf and cat /run/resolvconf/resolv.conf is the same, and is:



# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.

nameserver 127.0.0.53
search Home


EDIT 4: Calling grep -r '192.168.0.1' /etc/ returns:



/etc/sane.d/saned.conf:#192.168.0.1
/etc/sane.d/saned.conf:#192.168.0.1/29
/etc/sane.d/magicolor.conf:# net 192.168.0.1
/etc/avahi/hosts:# 192.168.0.1 router.local


With the VPN turned on via the Network Manager GUI (i.e., from the top menu), the output of systemd-resolve --status is:



Global
DNS Domain: Home
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test

Link 13 (tun0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 10.34.40.1

Link 2 (wlp59s0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 192.168.0.1
fd08:b55d:5917:0:3e89:94ff:fe31:c148
DNS Domain: Home


Calling the VPN via sudo openvpn seems to work correctly: The output of systemd-resolve --status is:



Global
DNS Servers: 10.34.48.1
DNS Domain: Home
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test

Link 14 (tun0)
Current Scopes: none
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no

Link 2 (wlp59s0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 192.168.0.1
fd08:b55d:5917:0:3e89:94ff:fe31:c148
DNS Domain: Home


dnsleak.com shows the VPN's DNS server, and host -v www.ebay.com gets its data from 10.34.48.1.



Two interesting output lines from the initialization of the VPN from the terminal are:



/etc/openvpn/update-resolv-conf tun0 1500 1553 10.34.48.8 255.255.252.0 init
dhcp-option DNS 10.34.48.1


It looks like maybe the openvpn command is changing the dhcp-option, but the network manager is not.







dns vpn openvpn






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Sep 22 at 9:28







Sam Jaques

















asked Sep 19 at 16:21









Sam JaquesSam Jaques

1011 bronze badge




1011 bronze badge















  • Actually... it does. DNS Servers: 10.34.16.1 Each link in SystemD's ResolveD can carry its own assigned DNS servers, it uses them in the order shown from first link to last (first come first tested) through to the end to run DNS queries. It won't change the DNS entries in resolv.conf, no, but that's becuase the resolv.conf points at systemd-resolved which handles DNS queries outbound internally to itself.

    – Thomas Ward
    Sep 19 at 16:27











  • Thanks for copying over all of the data from our previous discussion. Show me ls -al /sbin/resolvconf and with vpn down/up host -v www.ebay.com.

    – heynnema
    Sep 19 at 21:12











  • I added the two other outputs. It looks like it's still not using the new DNS server because the 192.168.0.1 is still first, so I'm still getting DNS leaks.

    – Sam Jaques
    Sep 20 at 10:47











  • Make sure to start comments to me with @heynnema or I'll surely miss them. Thanks for the updates to my questions. Install this sudo apt-get install resolvconf, then reboot, and retry the systemd-resolve --status command with vpn up. Recheck the host -v command, and check for DNS leaks. Report back.

    – heynnema
    Sep 20 at 14:22












  • @ThomasWard actually, it's not working correctly, as seen by the host -v command, and the dns leaks.

    – heynnema
    Sep 20 at 14:24

















  • Actually... it does. DNS Servers: 10.34.16.1 Each link in SystemD's ResolveD can carry its own assigned DNS servers, it uses them in the order shown from first link to last (first come first tested) through to the end to run DNS queries. It won't change the DNS entries in resolv.conf, no, but that's becuase the resolv.conf points at systemd-resolved which handles DNS queries outbound internally to itself.

    – Thomas Ward
    Sep 19 at 16:27











  • Thanks for copying over all of the data from our previous discussion. Show me ls -al /sbin/resolvconf and with vpn down/up host -v www.ebay.com.

    – heynnema
    Sep 19 at 21:12











  • I added the two other outputs. It looks like it's still not using the new DNS server because the 192.168.0.1 is still first, so I'm still getting DNS leaks.

    – Sam Jaques
    Sep 20 at 10:47











  • Make sure to start comments to me with @heynnema or I'll surely miss them. Thanks for the updates to my questions. Install this sudo apt-get install resolvconf, then reboot, and retry the systemd-resolve --status command with vpn up. Recheck the host -v command, and check for DNS leaks. Report back.

    – heynnema
    Sep 20 at 14:22












  • @ThomasWard actually, it's not working correctly, as seen by the host -v command, and the dns leaks.

    – heynnema
    Sep 20 at 14:24
















Actually... it does. DNS Servers: 10.34.16.1 Each link in SystemD's ResolveD can carry its own assigned DNS servers, it uses them in the order shown from first link to last (first come first tested) through to the end to run DNS queries. It won't change the DNS entries in resolv.conf, no, but that's becuase the resolv.conf points at systemd-resolved which handles DNS queries outbound internally to itself.

– Thomas Ward
Sep 19 at 16:27





Actually... it does. DNS Servers: 10.34.16.1 Each link in SystemD's ResolveD can carry its own assigned DNS servers, it uses them in the order shown from first link to last (first come first tested) through to the end to run DNS queries. It won't change the DNS entries in resolv.conf, no, but that's becuase the resolv.conf points at systemd-resolved which handles DNS queries outbound internally to itself.

– Thomas Ward
Sep 19 at 16:27













Thanks for copying over all of the data from our previous discussion. Show me ls -al /sbin/resolvconf and with vpn down/up host -v www.ebay.com.

– heynnema
Sep 19 at 21:12





Thanks for copying over all of the data from our previous discussion. Show me ls -al /sbin/resolvconf and with vpn down/up host -v www.ebay.com.

– heynnema
Sep 19 at 21:12













I added the two other outputs. It looks like it's still not using the new DNS server because the 192.168.0.1 is still first, so I'm still getting DNS leaks.

– Sam Jaques
Sep 20 at 10:47





I added the two other outputs. It looks like it's still not using the new DNS server because the 192.168.0.1 is still first, so I'm still getting DNS leaks.

– Sam Jaques
Sep 20 at 10:47













Make sure to start comments to me with @heynnema or I'll surely miss them. Thanks for the updates to my questions. Install this sudo apt-get install resolvconf, then reboot, and retry the systemd-resolve --status command with vpn up. Recheck the host -v command, and check for DNS leaks. Report back.

– heynnema
Sep 20 at 14:22






Make sure to start comments to me with @heynnema or I'll surely miss them. Thanks for the updates to my questions. Install this sudo apt-get install resolvconf, then reboot, and retry the systemd-resolve --status command with vpn up. Recheck the host -v command, and check for DNS leaks. Report back.

– heynnema
Sep 20 at 14:22














@ThomasWard actually, it's not working correctly, as seen by the host -v command, and the dns leaks.

– heynnema
Sep 20 at 14:24





@ThomasWard actually, it's not working correctly, as seen by the host -v command, and the dns leaks.

– heynnema
Sep 20 at 14:24










1 Answer
1






active

oldest

votes


















0



















DNSoverTLS 1.1.1.1 OpenVPN configuration.



First you need systemd-resolved installed and configured to use stub-resolv.conf.



ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
cat /etc/resolv.conf


Output



nameserver 127.0.0.53
options edns0


systemd-networkd



/etc/systemd/resolved.conf (example):



[Resolve]
DNS=8.8.8.8 8.8.4.4
FallbackDNS=1.1.1.1 1.0.0.1
LLMNR=no
MulticastDNS=no
DNSSEC=allow-downgrade
DNSOverTLS=opportunistic
Cache=yes
DNSStubListener=yes


/etc/systemd/network/ethX.network (example):



[Match]
Name=eth*

[Link]
RequiredForOnline=yes

[Network]
DHCP=yes
MulticastDNS=no
LLMNR=no
LinkLocalAddressing=no

[DHCP]
UseDNS=yes
UseHostname=no
CriticalConnection=yes


/etc/systemd/network/tunX.network (important!):



(in order for openvpn to be able to administer tun link, the link must be unmanaged)



[Match]
Name=tun*

[Link]
Unmanaged=yes


I use update-resolved to configure systemd-resolved.
(you can use update-systemd-resolved or
aptitude install openvpn-systemd-resolved, but when you need to follow
README.md instead).



Installing update-resolved:



cd /etc/openvpn
git clone https://github.com/bac0n/update-resolved.git


Add update-resolved to your openvpn.conf:



# Include update-resolved up/down script.
config /etc/openvpn/update-resolved/update-resolved.ovpn


Restart openvpn:



systemctl restart openvpn


Journald:



journalctl -t update-resolved


Output



-- Logs begin at Sat 2019-09-21 12:28:01 CEST, end at Sun 2019-09-22 17:05:01 CEST. --
Sep 21 12:28:11 foobar update-resolved[914]: Note: Successfully configured resolved on link 3 (tun0)


Note:



As default it uses openvpn supplied dns´s. if you like to use
static dns´s you need to filter the dns´s supplied by openvpn
in 'update-resolved.ovpn' and set your own dns´s in 'update-resolved.conf'



Example:



resolve_options=(DOMAIN ~. DNS 1.1.1.1 DNS 1.0.0.1 LLMNR no MulticastDNS no)


(when using domain ~. resolved will use the tun link for all your dns queries (unless other too carry such a route-only domain). When the tun link is removed resolved will start using 'global' and 'isp' dns´s in parallel, Protocols and Routing)






share|improve this answer



























  • systemd is installed and the /etc/resolv.conf link is fixed. For both /etc/systemd/network/ethX.network and /etc/systemd/network/tunX.network, I get "No such file or directory". Are those files important to have?

    – Sam Jaques
    Sep 22 at 9:47











  • no, you can check if your tun interface is unmanaged with networkctl

    – bac0n
    Sep 22 at 15:05












Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "89"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);














draft saved

draft discarded
















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1175300%2fopenvpn-does-not-change-dns-server%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown


























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









0



















DNSoverTLS 1.1.1.1 OpenVPN configuration.



First you need systemd-resolved installed and configured to use stub-resolv.conf.



ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
cat /etc/resolv.conf


Output



nameserver 127.0.0.53
options edns0


systemd-networkd



/etc/systemd/resolved.conf (example):



[Resolve]
DNS=8.8.8.8 8.8.4.4
FallbackDNS=1.1.1.1 1.0.0.1
LLMNR=no
MulticastDNS=no
DNSSEC=allow-downgrade
DNSOverTLS=opportunistic
Cache=yes
DNSStubListener=yes


/etc/systemd/network/ethX.network (example):



[Match]
Name=eth*

[Link]
RequiredForOnline=yes

[Network]
DHCP=yes
MulticastDNS=no
LLMNR=no
LinkLocalAddressing=no

[DHCP]
UseDNS=yes
UseHostname=no
CriticalConnection=yes


/etc/systemd/network/tunX.network (important!):



(in order for openvpn to be able to administer tun link, the link must be unmanaged)



[Match]
Name=tun*

[Link]
Unmanaged=yes


I use update-resolved to configure systemd-resolved.
(you can use update-systemd-resolved or
aptitude install openvpn-systemd-resolved, but when you need to follow
README.md instead).



Installing update-resolved:



cd /etc/openvpn
git clone https://github.com/bac0n/update-resolved.git


Add update-resolved to your openvpn.conf:



# Include update-resolved up/down script.
config /etc/openvpn/update-resolved/update-resolved.ovpn


Restart openvpn:



systemctl restart openvpn


Journald:



journalctl -t update-resolved


Output



-- Logs begin at Sat 2019-09-21 12:28:01 CEST, end at Sun 2019-09-22 17:05:01 CEST. --
Sep 21 12:28:11 foobar update-resolved[914]: Note: Successfully configured resolved on link 3 (tun0)


Note:



As default it uses openvpn supplied dns´s. if you like to use
static dns´s you need to filter the dns´s supplied by openvpn
in 'update-resolved.ovpn' and set your own dns´s in 'update-resolved.conf'



Example:



resolve_options=(DOMAIN ~. DNS 1.1.1.1 DNS 1.0.0.1 LLMNR no MulticastDNS no)


(when using domain ~. resolved will use the tun link for all your dns queries (unless other too carry such a route-only domain). When the tun link is removed resolved will start using 'global' and 'isp' dns´s in parallel, Protocols and Routing)






share|improve this answer



























  • systemd is installed and the /etc/resolv.conf link is fixed. For both /etc/systemd/network/ethX.network and /etc/systemd/network/tunX.network, I get "No such file or directory". Are those files important to have?

    – Sam Jaques
    Sep 22 at 9:47











  • no, you can check if your tun interface is unmanaged with networkctl

    – bac0n
    Sep 22 at 15:05















0



















DNSoverTLS 1.1.1.1 OpenVPN configuration.



First you need systemd-resolved installed and configured to use stub-resolv.conf.



ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
cat /etc/resolv.conf


Output



nameserver 127.0.0.53
options edns0


systemd-networkd



/etc/systemd/resolved.conf (example):



[Resolve]
DNS=8.8.8.8 8.8.4.4
FallbackDNS=1.1.1.1 1.0.0.1
LLMNR=no
MulticastDNS=no
DNSSEC=allow-downgrade
DNSOverTLS=opportunistic
Cache=yes
DNSStubListener=yes


/etc/systemd/network/ethX.network (example):



[Match]
Name=eth*

[Link]
RequiredForOnline=yes

[Network]
DHCP=yes
MulticastDNS=no
LLMNR=no
LinkLocalAddressing=no

[DHCP]
UseDNS=yes
UseHostname=no
CriticalConnection=yes


/etc/systemd/network/tunX.network (important!):



(in order for openvpn to be able to administer tun link, the link must be unmanaged)



[Match]
Name=tun*

[Link]
Unmanaged=yes


I use update-resolved to configure systemd-resolved.
(you can use update-systemd-resolved or
aptitude install openvpn-systemd-resolved, but when you need to follow
README.md instead).



Installing update-resolved:



cd /etc/openvpn
git clone https://github.com/bac0n/update-resolved.git


Add update-resolved to your openvpn.conf:



# Include update-resolved up/down script.
config /etc/openvpn/update-resolved/update-resolved.ovpn


Restart openvpn:



systemctl restart openvpn


Journald:



journalctl -t update-resolved


Output



-- Logs begin at Sat 2019-09-21 12:28:01 CEST, end at Sun 2019-09-22 17:05:01 CEST. --
Sep 21 12:28:11 foobar update-resolved[914]: Note: Successfully configured resolved on link 3 (tun0)


Note:



As default it uses openvpn supplied dns´s. if you like to use
static dns´s you need to filter the dns´s supplied by openvpn
in 'update-resolved.ovpn' and set your own dns´s in 'update-resolved.conf'



Example:



resolve_options=(DOMAIN ~. DNS 1.1.1.1 DNS 1.0.0.1 LLMNR no MulticastDNS no)


(when using domain ~. resolved will use the tun link for all your dns queries (unless other too carry such a route-only domain). When the tun link is removed resolved will start using 'global' and 'isp' dns´s in parallel, Protocols and Routing)






share|improve this answer



























  • systemd is installed and the /etc/resolv.conf link is fixed. For both /etc/systemd/network/ethX.network and /etc/systemd/network/tunX.network, I get "No such file or directory". Are those files important to have?

    – Sam Jaques
    Sep 22 at 9:47











  • no, you can check if your tun interface is unmanaged with networkctl

    – bac0n
    Sep 22 at 15:05













0















0











0









DNSoverTLS 1.1.1.1 OpenVPN configuration.



First you need systemd-resolved installed and configured to use stub-resolv.conf.



ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
cat /etc/resolv.conf


Output



nameserver 127.0.0.53
options edns0


systemd-networkd



/etc/systemd/resolved.conf (example):



[Resolve]
DNS=8.8.8.8 8.8.4.4
FallbackDNS=1.1.1.1 1.0.0.1
LLMNR=no
MulticastDNS=no
DNSSEC=allow-downgrade
DNSOverTLS=opportunistic
Cache=yes
DNSStubListener=yes


/etc/systemd/network/ethX.network (example):



[Match]
Name=eth*

[Link]
RequiredForOnline=yes

[Network]
DHCP=yes
MulticastDNS=no
LLMNR=no
LinkLocalAddressing=no

[DHCP]
UseDNS=yes
UseHostname=no
CriticalConnection=yes


/etc/systemd/network/tunX.network (important!):



(in order for openvpn to be able to administer tun link, the link must be unmanaged)



[Match]
Name=tun*

[Link]
Unmanaged=yes


I use update-resolved to configure systemd-resolved.
(you can use update-systemd-resolved or
aptitude install openvpn-systemd-resolved, but when you need to follow
README.md instead).



Installing update-resolved:



cd /etc/openvpn
git clone https://github.com/bac0n/update-resolved.git


Add update-resolved to your openvpn.conf:



# Include update-resolved up/down script.
config /etc/openvpn/update-resolved/update-resolved.ovpn


Restart openvpn:



systemctl restart openvpn


Journald:



journalctl -t update-resolved


Output



-- Logs begin at Sat 2019-09-21 12:28:01 CEST, end at Sun 2019-09-22 17:05:01 CEST. --
Sep 21 12:28:11 foobar update-resolved[914]: Note: Successfully configured resolved on link 3 (tun0)


Note:



As default it uses openvpn supplied dns´s. if you like to use
static dns´s you need to filter the dns´s supplied by openvpn
in 'update-resolved.ovpn' and set your own dns´s in 'update-resolved.conf'



Example:



resolve_options=(DOMAIN ~. DNS 1.1.1.1 DNS 1.0.0.1 LLMNR no MulticastDNS no)


(when using domain ~. resolved will use the tun link for all your dns queries (unless other too carry such a route-only domain). When the tun link is removed resolved will start using 'global' and 'isp' dns´s in parallel, Protocols and Routing)






share|improve this answer
















DNSoverTLS 1.1.1.1 OpenVPN configuration.



First you need systemd-resolved installed and configured to use stub-resolv.conf.



ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
cat /etc/resolv.conf


Output



nameserver 127.0.0.53
options edns0


systemd-networkd



/etc/systemd/resolved.conf (example):



[Resolve]
DNS=8.8.8.8 8.8.4.4
FallbackDNS=1.1.1.1 1.0.0.1
LLMNR=no
MulticastDNS=no
DNSSEC=allow-downgrade
DNSOverTLS=opportunistic
Cache=yes
DNSStubListener=yes


/etc/systemd/network/ethX.network (example):



[Match]
Name=eth*

[Link]
RequiredForOnline=yes

[Network]
DHCP=yes
MulticastDNS=no
LLMNR=no
LinkLocalAddressing=no

[DHCP]
UseDNS=yes
UseHostname=no
CriticalConnection=yes


/etc/systemd/network/tunX.network (important!):



(in order for openvpn to be able to administer tun link, the link must be unmanaged)



[Match]
Name=tun*

[Link]
Unmanaged=yes


I use update-resolved to configure systemd-resolved.
(you can use update-systemd-resolved or
aptitude install openvpn-systemd-resolved, but when you need to follow
README.md instead).



Installing update-resolved:



cd /etc/openvpn
git clone https://github.com/bac0n/update-resolved.git


Add update-resolved to your openvpn.conf:



# Include update-resolved up/down script.
config /etc/openvpn/update-resolved/update-resolved.ovpn


Restart openvpn:



systemctl restart openvpn


Journald:



journalctl -t update-resolved


Output



-- Logs begin at Sat 2019-09-21 12:28:01 CEST, end at Sun 2019-09-22 17:05:01 CEST. --
Sep 21 12:28:11 foobar update-resolved[914]: Note: Successfully configured resolved on link 3 (tun0)


Note:



As default it uses openvpn supplied dns´s. if you like to use
static dns´s you need to filter the dns´s supplied by openvpn
in 'update-resolved.ovpn' and set your own dns´s in 'update-resolved.conf'



Example:



resolve_options=(DOMAIN ~. DNS 1.1.1.1 DNS 1.0.0.1 LLMNR no MulticastDNS no)


(when using domain ~. resolved will use the tun link for all your dns queries (unless other too carry such a route-only domain). When the tun link is removed resolved will start using 'global' and 'isp' dns´s in parallel, Protocols and Routing)







share|improve this answer















share|improve this answer




share|improve this answer








edited Sep 22 at 15:31

























answered Sep 21 at 17:16









bac0nbac0n

1,0881 silver badge13 bronze badges




1,0881 silver badge13 bronze badges















  • systemd is installed and the /etc/resolv.conf link is fixed. For both /etc/systemd/network/ethX.network and /etc/systemd/network/tunX.network, I get "No such file or directory". Are those files important to have?

    – Sam Jaques
    Sep 22 at 9:47











  • no, you can check if your tun interface is unmanaged with networkctl

    – bac0n
    Sep 22 at 15:05

















  • systemd is installed and the /etc/resolv.conf link is fixed. For both /etc/systemd/network/ethX.network and /etc/systemd/network/tunX.network, I get "No such file or directory". Are those files important to have?

    – Sam Jaques
    Sep 22 at 9:47











  • no, you can check if your tun interface is unmanaged with networkctl

    – bac0n
    Sep 22 at 15:05
















systemd is installed and the /etc/resolv.conf link is fixed. For both /etc/systemd/network/ethX.network and /etc/systemd/network/tunX.network, I get "No such file or directory". Are those files important to have?

– Sam Jaques
Sep 22 at 9:47





systemd is installed and the /etc/resolv.conf link is fixed. For both /etc/systemd/network/ethX.network and /etc/systemd/network/tunX.network, I get "No such file or directory". Are those files important to have?

– Sam Jaques
Sep 22 at 9:47













no, you can check if your tun interface is unmanaged with networkctl

– bac0n
Sep 22 at 15:05





no, you can check if your tun interface is unmanaged with networkctl

– bac0n
Sep 22 at 15:05


















draft saved

draft discarded















































Thanks for contributing an answer to Ask Ubuntu!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1175300%2fopenvpn-does-not-change-dns-server%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown









Popular posts from this blog

Tamil (spriik) Luke uk diar | Nawigatjuun

Align equal signs while including text over equalitiesAMS align: left aligned text/math plus multicolumn alignmentMultiple alignmentsAligning equations in multiple placesNumbering and aligning an equation with multiple columnsHow to align one equation with another multline equationUsing \ in environments inside the begintabularxNumber equations and preserving alignment of equal signsHow can I align equations to the left and to the right?Double equation alignment problem within align enviromentAligned within align: Why are they right-aligned?

Training a classifier when some of the features are unknownWhy does Gradient Boosting regression predict negative values when there are no negative y-values in my training set?How to improve an existing (trained) classifier?What is effect when I set up some self defined predisctor variables?Why Matlab neural network classification returns decimal values on prediction dataset?Fitting and transforming text data in training, testing, and validation setsHow to quantify the performance of the classifier (multi-class SVM) using the test data?How do I control for some patients providing multiple samples in my training data?Training and Test setTraining a convolutional neural network for image denoising in MatlabShouldn't an autoencoder with #(neurons in hidden layer) = #(neurons in input layer) be “perfect”?