********** noctua@corinth:~$ systemd-resolve --status Global DNSSEC NTA: 10.in-addr.arpa 16.172.in-addr.arpa 168.192.in-addr.arpa 17.172.in-addr.arpa 18.172.in-addr.arpa 19.172.in-addr.arpa 20.172.in-addr.arpa 21.172.in-addr.arpa 22.172.in-addr.arpa 23.172.in-addr.arpa 24.172.in-addr.arpa 25.172.in-addr.arpa 26.172.in-addr.arpa 27.172.in-addr.arpa 28.172.in-addr.arpa 29.172.in-addr.arpa 30.172.in-addr.arpa 31.172.in-addr.arpa corp d.f.ip6.arpa home internal intranet lan local private test Link 5 (tun0) Current Scopes: DNS LLMNR setting: yes MulticastDNS setting: no DNSSEC setting: no DNSSEC supported: no DNS Servers: 209.222.18.222 209.222.18.218 Link 2 (wlo1) Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 LLMNR setting: yes MulticastDNS setting: no DNSSEC setting: no DNSSEC supported: no DNS Servers: 192.168.1.1 DNS Domain: home ********** noctua@corinth:~$ nmcli connection show tun0 connection.id: tun0 connection.uuid: a61ca484-3ca9-4e88-b6e1-574b4e17ca54 connection.stable-id: -- connection.interface-name: tun0 connection.type: tun connection.autoconnect: no connection.autoconnect-priority: 0 connection.timestamp: 1497284475 connection.read-only: no connection.permissions: connection.zone: -- connection.master: -- connection.slave-type: -- connection.autoconnect-slaves: -1 (default) connection.secondaries: connection.gateway-ping-timeout: 0 connection.metered: unknown connection.lldp: -1 (default) ipv4.method: manual ipv4.dns: ipv4.dns-search: ipv4.dns-options: (default) ipv4.dns-priority: 100 ipv4.addresses: 10.38.1.6/32 ipv4.gateway: 10.38.1.5 ipv4.routes: { ip = 10.38.1.1/32, nh = 10.38.1.5, mt = 50 } ipv4.route-metric: 50 ipv4.ignore-auto-routes: no ipv4.ignore-auto-dns: no ipv4.dhcp-client-id: -- ipv4.dhcp-timeout: 0 ipv4.dhcp-send-hostname: yes ipv4.dhcp-hostname: -- ipv4.dhcp-fqdn: -- ipv4.never-default: no ipv4.may-fail: yes ipv4.dad-timeout: -1 (default) ipv6.method: link-local ipv6.dns: ipv6.dns-search: ipv6.dns-options: (default) ipv6.dns-priority: 100 ipv6.addresses: ipv6.gateway: -- ipv6.routes: ipv6.route-metric: -1 ipv6.ignore-auto-routes: no ipv6.ignore-auto-dns: no ipv6.never-default: no ipv6.may-fail: yes ipv6.ip6-privacy: -1 (unknown) ipv6.addr-gen-mode: stable-privacy ipv6.dhcp-send-hostname: yes ipv6.dhcp-hostname: -- ipv6.token: -- tun.mode: 1 (tun) tun.owner: -- tun.group: -- tun.pi: no tun.vnet-hdr: no tun.multi-queue: no GENERAL.NAME: tun0 GENERAL.UUID: a61ca484-3ca9-4e88-b6e1-574b4e17ca54 GENERAL.DEVICES: tun0 GENERAL.STATE: activated GENERAL.DEFAULT: yes GENERAL.DEFAULT6: no GENERAL.VPN: no GENERAL.ZONE: -- GENERAL.DBUS-PATH: /org/freedesktop/NetworkManager/ActiveConnection/4 GENERAL.CON-PATH: /org/freedesktop/NetworkManager/Settings/4 GENERAL.SPEC-OBJECT: / GENERAL.MASTER-PATH: -- IP4.ADDRESS[1]: 10.38.1.6/32 IP4.GATEWAY: 10.38.1.5 IP4.ROUTE[1]: dst = 10.38.1.1/32, nh = 10.38.1.5, mt = 50 IP6.ADDRESS[1]: fe80::376b:6f85:5cb7:142/64 IP6.GATEWAY: ********** extended test from https://dnsleaktest.com Test complete Query round Progress... Servers found 1 ...... 2 2 ...... 1 3 ...... 2 4 ...... 1 5 ...... 1 6 ...... 2 IP Hostname ISP Country 173.239.219.2 ip-2-219-239-173.east.us.northamericancoax.com LogicWeb Inc United States 71.242.0.136 none Verizon Internet Services United States 71.242.0.214 none Verizon Internet Services United States ********** As you can see, the 'routing-only domain' line "DNS Domain: ~." is missing and DNS leaks are clearly happening while connected to the VPN as queries are being routed to the ISP (Verizon in this case).