block outside dns, fix dns leak ubuntu 18.04

Using dns leak test while under my VPN I discovered that it was leaking. I've setup my VPN via NetworkManager and it works properly except for the leak.

First, i've tried to add block-outside-vpn to the configuration file except that under /etc/NetworkManager/system-connections it does not follow the same format. I couldn't find the doc on how to properly write one for dns leaks.

Also, using Ubuntu 18.04 resolv.conf does not work like before, all the other answers are based on that.

Briefly, how to block outside dns (leak) using Network Manager configuration files or the GUI?

To fix DNS leaks on Ubuntu 18.04, you can edit a file called /etc/dhcp/dhclient.conf. According to the manual page, this file "provides a means for configuring one or more network interfaces using the Dynamic Host Configuration Protocol, BOOTP protocol, or if these protocols fail, by statically assigning an address."

As for fixing your DNS leaks, we will be editing this file. Opening it with the proper permissions, you will see a commented line that looks something like this:

#prepend domain-name-servers 127.0.0.53;

Uncomment this line, and change the domain-name-server to a different one, such as OpenDNS: 208.67.222.222. Using this OpenDNS address, this line would now look like this:

prepend domain-name-servers 208.67.222.222;

After saving the file and rebooting your system, this should fix the DNS leaks on Ubuntu 18.04.

I suggest using dnscrypt.

First install it:

sudo apt install dnscrypt-proxy

By default it will listens to 127.0.2.1 port 53.

Edit your VPN or any other connection you like and set 127.0.2.1 as its DNS server, using CLI you can run:

nmcli connection modify [CONNECTION-NAME] ipv4.dns 127.0.2.1

And just in case block the out going DNS requests:

sudo ufw deny out 53

And make sure firewall is enabled:

sudo ufw enable

If you have a DNS leak as indicated by checking on browserleaks.com or dnsleaktest.com,

1. Shut off your VPN connection

2. Attempt to undo any .conf file edits you've wasted time already making. If you've been trying a lot of various suggestions, your best good chance might be to do a fresh install and ensure you've also installed networkmanager-openvpn-gnome as Ubuntu does not have VPN config importing provided by default.

3. Install dnsmasq

   sudo apt update
   sudo apt install dnsmasq  
   

4. Disable resolved

   sudo systemctl disable systemd-resolved.service
   sudo systemctl stop systemd-resolved.service 
   

5. Remove /etc/resolv.conf and create a new one:

   sudo rm /etc/resolv.conf
   sudo nano /etc/resolv.conf  
   

6. Enter into your empty .conf file:

   nameserver 127.0.0.1`         that's all!
   

7. Press Ctrl+x to exit the editor. Enter y to save and then press Enter to overwrite your new resolv.conf file.

8. Edit your NetworkManager.conf file

   sudo nano /etc/NetworkManager/NetworkManager.conf 
   

   and add the following:

   dns=dnsmasq 
   

   beneath the lines (navigate using arrow keys), [main] and plugins=ifupdown, keyfile exactly like this with the new line added.

   [main]
   plugins=ifupdown, keyfile
   dns=dnsmasq
   

   Press Ctrl+x to exit the editor. Enter y to save and then press Enter to overwrite the file.

9. Back out of the terminal, and reboot the system and check your dnsleak test site for results.

With thanks to Anonymous VPN whose solutions for Leaks on Ubuntu/Network Manager seem well researched and successful. THEY WORK and when no other solutions worked for me, these did. The above shown solution works for Ubuntu 17.x and 18.04 LTS. See his other solution for 16.04 LTS.