Please note that this patch and fix only works for Ubuntu 17.04 which relies on
systemd-resolved as a DNS/DNSSEC stub resolver, as well as an LLMNR resolver.
You also need to be using a network-manager plugin like network-manager-openvpn-gnome.
Install and configure an openvpn connection after going 'sudo apt-get install network-manager-
openvpn-gnome', importing a config file, connecting (if possible), and observing the fact that
there are DNS leaks (queries WILL be routed to your ISP) with online tools like those at https://dnsleaktest.com. Otherwise, just know that systemd-resolved naturally leaks DNS queries
over all configured domains on all interfaces by design unless a specific system bus call is made.
In this case, the SetLinkDomains(in i ifindex, in a(sb) domains) method, if passed
the interface index followed by an array containing the "routing-only" domain "~."
(see https://manpages.debian.org/testing/systemd/systemd.network.5.en.html) and the boolean true.
But enough with the technical details, lets move on to the fix!
First, make sure you have all necessary packages to build the network manager, install with:
sudo service networking start
sudo service network-manager start
Connect to standard openvpn via network-manager-openvpn GUI (or other plugin)
Search the syslog for something like:
NetworkManager[876]: <info> [1496716774.9849] systemd-resolved[0x55b0132ec2b0]: Link type is VPN
TUN or TAP, fixing DNS leak...
and verify that the VPN link (for example tun0) includes the descriptor:
DNS Domain: ~.
using the command:
systemd-resolve --status
When compiling network manager, several bogus links are created and will show up when
you type 'systemd-resolve --status', don't worry they will disappear once you reboot.
Then open your browser, navigate to https://dnsleaktest.com and select Extended test
You should only see your VPN provider's DNS servers. For example, with PIA you should see
something like:
IP Hostname ISP Country
173.239.220.5 ip-5-220-239-173.east.us.northamericancoax.com GoLightSpeed United States
Now, to prevent Ubuntu apt from replacing your patched, VPN-DNS-leak-free version of network manager that relies on systemd-resolved, use the command:
sudo apt-mark hold network-manager
Thats all, you're done. Congrats, no DNS leaks on Ubuntu 17.04!
I hope that I was able to make your life easier and more secure using openvpn or other
vpn services through the built-in GUI for the Gnome NetworkManager on Ubuntu 17.04 :)
(Side note: I am a college student and C/C++ dev who loves Ubuntu <3 Also, this took quite a bit
of research on the GLib API, systemd-resolved API, and much much tracing using our good friend
'grep -r' for built in functions and enums of the Gnome network manager itself. No additional
compiler warnings are generated, the patch conforms to the C90 standard, and the syntax style
used throughout the network manager source code was maintained.)
I will attach the small text patch generated using 'diff -u' along with the patched generated
.deb file for your convenience. Cheers, and I hope this helps you all!
Please note that this patch and fix only works for Ubuntu 17.04 which relies on
systemd-resolved as a DNS/DNSSEC stub resolver, as well as an LLMNR resolver.
You also need to be using a network-manager plugin like network- manager- openvpn- gnome. /dnsleaktest. com. Otherwise, just know that systemd-resolved naturally leaks DNS queries /manpages. debian. org/testing/ systemd/ systemd. network. 5.en.html) and the boolean true.
Install and configure an openvpn connection after going 'sudo apt-get install network-manager-
openvpn-gnome', importing a config file, connecting (if possible), and observing the fact that
there are DNS leaks (queries WILL be routed to your ISP) with online tools like those at
https:/
over all configured domains on all interfaces by design unless a specific system bus call is made.
In this case, the SetLinkDomains(in i ifindex, in a(sb) domains) method, if passed
the interface index followed by an array containing the "routing-only" domain "~."
(see https:/
But enough with the technical details, lets move on to the fix!
First, make sure you have all necessary packages to build the network manager, install with:
sudo apt update
sudo apt-get build-dep network-manager
cd ~/Documents manager- 1.4.4/
mkdir nm && cd nm
apt-get source network-manager
cd network-
Copy the patch file into the network- manager- 1.4.4 directory:
cp ~/Downloads/ resolved- vpn-dns- leak-fix. patch .
Apply the patch with:
patch -p1 < resolved- vpn-dns- leak-fix. patch
Remove patch from source directory before compilation:
rm resolved- vpn-dns- leak-fix. patch
Compile and build .deb package for installation (this will take a while):
dpkg-buildpackage -us -uc -b
The compiled .debs should be in the parent directory you created nm:
cd ../
First, stop all network services:
sudo service network-manager stop
sudo service networking stop
Install just the patched network manager (the other .debs are not necessary):
sudo dpkg -i network- manager_ 1.4.4-1ubuntu3_ amd64.deb
Bring network services back up:
sudo service networking start
sudo service network-manager start
Connect to standard openvpn via network- manager- openvpn GUI (or other plugin)
Search the syslog for something like:
NetworkManager[ 876]: <info> [1496716774.9849] systemd- resolved[ 0x55b0132ec2b0] : Link type is VPN
TUN or TAP, fixing DNS leak...
and verify that the VPN link (for example tun0) includes the descriptor:
DNS Domain: ~.
using the command:
systemd-resolve --status
When compiling network manager, several bogus links are created and will show up when
you type 'systemd-resolve --status', don't worry they will disappear once you reboot.
Then open your browser, navigate to https:/ /dnsleaktest. com and select Extended test
You should only see your VPN provider's DNS servers. For example, with PIA you should see
something like:
Test complete
Query round Progress... Servers found
1 ...... 1
2 ...... 1
3 ...... 1
4 ...... 1
5 ...... 1
6 ...... 1
IP Hostname ISP Country 239-173. east.us. northamericanco ax.com GoLightSpeed United States
173.239.220.5 ip-5-220-
Now, to prevent Ubuntu apt from replacing your patched, VPN-DNS-leak-free version of network manager that relies on systemd-resolved, use the command:
sudo apt-mark hold network-manager
Thats all, you're done. Congrats, no DNS leaks on Ubuntu 17.04!
I hope that I was able to make your life easier and more secure using openvpn or other
vpn services through the built-in GUI for the Gnome NetworkManager on Ubuntu 17.04 :)
(Side note: I am a college student and C/C++ dev who loves Ubuntu <3 Also, this took quite a bit
of research on the GLib API, systemd-resolved API, and much much tracing using our good friend
'grep -r' for built in functions and enums of the Gnome network manager itself. No additional
compiler warnings are generated, the patch conforms to the C90 standard, and the syntax style
used throughout the network manager source code was maintained.)
I will attach the small text patch generated using 'diff -u' along with the patched generated
.deb file for your convenience. Cheers, and I hope this helps you all!