Please note that this patch and fix only works for Ubuntu 17.04 which relies on systemd-resolved as a DNS/DNSSEC stub resolver, as well as an LLMNR resolver. You also need to be using a network-manager plugin like network-manager-openvpn-gnome. Install and configure an openvpn connection after going 'sudo apt-get install network-manager- openvpn-gnome', importing a config file, connecting (if possible), and observing the fact that there are DNS leaks (queries WILL be routed to your ISP) with online tools like those at https://dnsleaktest.com. Otherwise, just know that systemd-resolved naturally leaks DNS queries over all configured domains on all interfaces by design unless a specific system bus call is made. In this case, the SetLinkDomains(in i ifindex, in a(sb) domains) method, if passed the interface index followed by an array containing the "routing-only" domain "~." (see https://manpages.debian.org/testing/systemd/systemd.network.5.en.html) and the boolean true. But enough with the technical details, lets move on to the fix! First, make sure you have all necessary packages to build the network manager, install with: sudo apt update sudo apt-get build-dep network-manager cd ~/Documents mkdir nm && cd nm apt-get source network-manager cd network-manager-1.4.4/ Copy the patch file into the network-manager-1.4.4 directory: cp ~/Downloads/resolved-vpn-dns-leak-fix.patch . Apply the patch with: patch -p1 < resolved-vpn-dns-leak-fix.patch Remove patch from source directory before compilation: rm resolved-vpn-dns-leak-fix.patch Compile and build .deb package for installation (this will take a while): dpkg-buildpackage -us -uc -b The compiled .debs should be in the parent directory you created nm: cd ../ First, stop all network services: sudo service network-manager stop sudo service networking stop Install just the patched network manager (the other .debs are not necessary): sudo dpkg -i network-manager_1.4.4-1ubuntu3_amd64.deb Bring network services back up: sudo service networking start sudo service network-manager start Connect to standard openvpn via network-manager-openvpn GUI (or other plugin) Search the syslog for something like: NetworkManager[876]: [1496716774.9849] systemd-resolved[0x55b0132ec2b0]: Link type is VPN TUN or TAP, fixing DNS leak... and verify that the VPN link (for example tun0) includes the descriptor: DNS Domain: ~. using the command: systemd-resolve --status When compiling network manager, several bogus links are created and will show up when you type 'systemd-resolve --status', don't worry they will disappear once you reboot. Then open your browser, navigate to https://dnsleaktest.com and select Extended test You should only see your VPN provider's DNS servers. For example, with PIA you should see something like: Test complete Query round Progress... Servers found 1 ...... 1 2 ...... 1 3 ...... 1 4 ...... 1 5 ...... 1 6 ...... 1 IP Hostname ISP Country 173.239.220.5 ip-5-220-239-173.east.us.northamericancoax.com GoLightSpeed United States Now, to prevent Ubuntu apt from replacing your patched, VPN-DNS-leak-free version of network manager that relies on systemd-resolved, use the command: sudo apt-mark hold network-manager Thats all, you're done. Congrats, no DNS leaks on Ubuntu 17.04! I hope that I was able to make your life easier and more secure using openvpn or other vpn services through the built-in GUI for the Gnome NetworkManager on Ubuntu 17.04 :) (Side note: I am a college student and C/C++ dev who loves Ubuntu <3 Also, this took quite a bit of research on the GLib API, systemd-resolved API, and much much tracing using our good friend 'grep -r' for built in functions and enums of the Gnome network manager itself. No additional compiler warnings are generated, the patch conforms to the C90 standard, and the syntax style used throughout the network manager source code was maintained.) I will attach the small text patch generated using 'diff -u' along with the patched generated .deb file for your convenience. Cheers, and I hope this helps you all!