--- a/src/dns-manager/nm-dns-systemd-resolved.c	2017-06-07 19:36:56.499266223 -0400
+++ b/src/dns-manager/nm-dns-systemd-resolved.c	2017-06-07 19:37:08.019457138 -0400
@@ -235,6 +235,7 @@
 	NMDnsSystemdResolvedPrivate *priv = NM_DNS_SYSTEMD_RESOLVED_GET_PRIVATE (self);
 	GVariantBuilder dns, domains;
 	GList *l;
+	NMLinkType link_type;
 
 	g_variant_builder_init (&dns, G_VARIANT_TYPE ("(ia(iay))"));
 	g_variant_builder_add (&dns, "i", ic->ifindex);
@@ -255,6 +256,21 @@
 	g_variant_builder_close (&dns);
 	g_variant_builder_close (&domains);
 
+	/* determine if link type is a vpn tun/tap connection */
+	link_type = nm_device_get_link_type (nm_manager_get_device_by_ifindex (nm_manager_get (), ic->ifindex));
+
+	if (link_type == NM_LINK_TYPE_TUN || link_type == NM_LINK_TYPE_TAP 
+	    || link_type == NM_LINK_TYPE_GRE || link_type == NM_LINK_TYPE_GRETAP) {
+
+		_LOGI ("Link #%d type is VPN TUN or TAP, fixing DNS leak...", ic->ifindex);
+		g_variant_builder_clear (&domains);
+		g_variant_builder_init (&domains, G_VARIANT_TYPE ("(ia(sb))"));
+		g_variant_builder_add (&domains, "i", ic->ifindex);
+		g_variant_builder_open (&domains, G_VARIANT_TYPE ("a(sb)"));
+		g_variant_builder_add (&domains, "(sb)", ".", TRUE);
+		g_variant_builder_close (&domains);
+	}
+
 	g_queue_push_tail (&priv->dns_updates,
 	                   g_variant_ref_sink (g_variant_builder_end (&dns)));
 	g_queue_push_tail (&priv->domain_updates,