After careful troubleshooting, manually running openvpn with a protonvpn config file results in a secure vpn dns address written to the /etc/resolv.conf file. However when carefully configuring up the protonvpn in Network Manager’s configuration “Import VPN connection” so that it runs, the resolv.conf file contains the DNS addresses set by parameters in the DNS part of the active network (in my case eth0) How can Network Manager be told to switch these DNS address to a VPN DNS address. DNS Leaks occur and they need to be prevented.
Can you share a bit more detail about the VPN configuration? Examine the VPN connection profile with respect to the IP settings ( located in /etc/NetworkManager/system-connections/)
Alternatively, via the NM GUI, is the VPN connection profile IPv4 setting set to ‘Automatic’
You could also share the NM logging when the VPN connection is started for more info…
sudo journalctl -fu NetworkManager
Does it contain the DNS address provided by the VPN service?
Yes
nameserver 10.96.0.1
See man nm-settings, search for dns-priority.
Deano:
Sorry for the long post but I believe this should be sufficent to explain what is happening.
Summary: Upon vpn being activated in Network Manager, the static DNS settings from eth0 are also being inserted into the resolv.conf file
% cat logging_Network_Manager.log
-------------------------------
Network disconnected manually
-------------------------------
Feb 18 09:20:11 localhost.localdomain NetworkManager[868]: [1739899211.9776] device (eth0): state change: activated → deactivating (reason ‘user-requested’, sys-iface-state: ‘managed’)
Feb 18 09:20:11 localhost.localdomain NetworkManager[868]: [1739899211.9778] manager: NetworkManager state is now DISCONNECTING
Feb 18 09:20:11 localhost.localdomain NetworkManager[868]: [1739899211.9783] audit: op=“device-disconnect” interface=“eth0” ifindex=2 pid=1543 uid=1000 result=“success”
Feb 18 09:20:12 localhost.localdomain NetworkManager[868]: [1739899212.1360] device (eth0): state change: deactivating → disconnected (reason ‘user-requested’, sys-iface-state: ‘managed’)
Feb 18 09:20:12 localhost.localdomain NetworkManager[868]: [1739899212.1739] dhcp4 (eth0): canceled DHCP transaction, DHCP client pid 14954
Feb 18 09:20:12 localhost.localdomain NetworkManager[868]: [1739899212.1739] dhcp4 (eth0): activation: beginning transaction (timeout in 45 seconds)
Feb 18 09:20:12 localhost.localdomain NetworkManager[868]: [1739899212.1740] dhcp4 (eth0): state changed no lease
Feb 18 09:20:12 localhost.localdomain NetworkManager[17013]: ATTENTION: /etc/resolv.conf is not a link to /run/netconfig/resolv.conf
Feb 18 09:20:12 localhost.localdomain NetworkManager[17013]: call “netconfig update -f” to adjust /etc/resolv.conf
Feb 18 09:20:12 localhost.localdomain NetworkManager[868]: [1739899212.2799] dns-mgr: could not commit DNS changes: Error calling netconfig: exited with status 20
Feb 18 09:20:12 localhost.localdomain NetworkManager[868]: [1739899212.3084] manager: NetworkManager state is now DISCONNECTED
Feb 18 09:20:12 localhost.localdomain NetworkManager[868]: [1739899212.3090] audit: op=“statistics” interface=“eth0” ifindex=2 args=“0” pid=1543 uid=1000 result=“success”
------------------------------------------------------------
localhost:/home/owner/Desktop # cat /etc/resolv.conf
------------------------------------------------------------
### /etc/resolv.conf is a symlink to /run/netconfig/resolv.conf
### autogenerated by netconfig!
#
# Before you change this file manually, consider to define the
# static DNS configuration using the following variables in the
# /etc/sysconfig/network/config file:
# NETCONFIG_DNS_STATIC_SEARCHLIST
# NETCONFIG_DNS_STATIC_SERVERS
# NETCONFIG_DNS_FORWARDER
# or disable DNS configuration updates via netconfig by setting:
# NETCONFIG_DNS_POLICY=‘’
#
# See also the netconfig(8) manual page and other documentation.
#
### Call “netconfig update -f” to force adjusting of /etc/resolv.conf.
nameserver 208.67.222.222
nameserver 208.67.220.220
------------------------------------------
and checking this to see if it is linked
------------------------------------------
% ls -adl resolv.conf
lrwxrwxrwx 1 root root 26 Feb 18 09:22 resolv.conf → /run/netconfig/resolv.conf
----------------------------------------------------------------------------------
so this is true
Dumping protonvpn config from /etc/NetworkManager/system-connections/us-free-1.protonvpn.udp.nmconnection
----------------------------------------------------------------------------------------------------------
[connection]
id=us-free-1.protonvpn.udp
uuid=832a6eb4-3006-4b25-a8df-dcf541c472e9
type=vpn
[vpn]
ca=/home/owner/.cert/nm-openvpn/us-free-1.protonvpn.udp-ca.pem
cipher=AES-256-GCM
connection-type=password
dev=tun
mssfix=0
password-flags=0
remote=146.70.230.146:5060, 146.70.230.146:4569, 146.70.230.146:51820, 146.70.230.146:1194, 146.70.230.146:80
remote-cert-tls=server
remote-random=yes
reneg-seconds=0
tls-crypt=/home/owner/.cert/nm-openvpn/us-free-1.protonvpn.udp-tls-crypt.pem
tunnel-mtu=1500
username=[redacted:assigned by ProtonVPN]
service-type=org.freedesktop.NetworkManager.openvpn
[vpn-secrets]
password=[redacted:assigned by ProtonVPN]
[ipv4]
may-fail=false
method=auto
[ipv6]
addr-gen-mode=stable-privacy
method=disabled
[proxy]
--------------------------------------------------------------
Now I dump the openvpn us-free-1.protonvpn.udp.ovpn file
--------------------------------------------------------------
# ==============================================================================
# Copyright (c) 2023 Proton AG (Switzerland)
# Email: contact@protonvpn.com
#
# The MIT License (MIT)
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the “Software”), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR # OTHERWISE, ARISING
# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
# IN THE SOFTWARE.
# ==============================================================================
# The server you are connecting to is using a circuit in order to separate entry IP from exit IP
# The same entry IP allows to connect to multiple exit IPs in the same data center.
# If you want to explicitly select the exit IP corresponding to server US-FREE#1 you need to
# append a special suffix to your OpenVPN username.
# Please use “glke65rw3-ZCfAT03mmXlJc9+b:0” in order to enforce exiting through US-FREE#1.
# If you are a paying user you can also enable the ProtonVPN ad blocker (NetShield) or Moderate NAT:
# Use: “glke65rw3-ZCfAT03mmXlJc9+b:0+f1” to enable anti-malware filtering
# Use: “glke65rw3-ZCfAT03mmXlJc9+b:0+f2” to additionally enable ad-blocking filtering
# Use: “glke65rw3-ZCfAT03mmXlJc9+b:0+nr” to enable Moderate NAT
# Note that you can combine the “+nr” suffix with other suffixes.
client
dev tun
proto udp
remote 146.70.230.146 5060
remote 146.70.230.146 4569
remote 146.70.230.146 51820
remote 146.70.230.146 1194
remote 146.70.230.146 80
remote-random
resolv-retry infinite
nobind
cipher AES-256-GCM
setenv CLIENT_CERT 0
tun-mtu 1500
mssfix 0
persist-key
persist-tun
reneg-sec 0
remote-cert-tls server
auth-user-pass
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
NOTE: Via the NM GUI, the VPN connection profile IPv4 setting IS set to Method: Automatic
Starting up the Network Manager and activating the vpn connection
-------------------------------------------------------------------
Feb 18 09:20:12 localhost.localdomain NetworkManager[868]: [1739899212.3090] audit: op=“statistics” interface=“eth0” ifindex=2 args=“0” pid=1543 uid=1000 result=“success”
Feb 18 09:37:21 localhost.localdomain NetworkManager[868]: [1739900241.1949] device (eth0): Activation: starting connection ‘eth0’ (7ba00b1d-8cdd-30da-91ad-bb83ed4f7474)
Feb 18 09:37:21 localhost.localdomain NetworkManager[868]: [1739900241.1950] audit: op=“connection-activate” uuid=“7ba00b1d-8cdd-30da-91ad-bb83ed4f7474” name=“eth0” pid=1543 uid=1000 result=“success”
Feb 18 09:37:21 localhost.localdomain NetworkManager[868]: [1739900241.1950] device (eth0): state change: disconnected → prepare (reason ‘none’, sys-iface-state: ‘managed’)
Feb 18 09:37:21 localhost.localdomain NetworkManager[868]: [1739900241.1952] manager: NetworkManager state is now CONNECTING
Feb 18 09:37:21 localhost.localdomain NetworkManager[868]: [1739900241.1954] device (eth0): state change: prepare → config (reason ‘none’, sys-iface-state: ‘managed’)
Feb 18 09:37:21 localhost.localdomain NetworkManager[868]: [1739900241.1958] device (eth0): state change: config → ip-config (reason ‘none’, sys-iface-state: ‘managed’)
Feb 18 09:37:21 localhost.localdomain NetworkManager[868]: [1739900241.1959] dhcp4 (eth0): activation: beginning transaction (timeout in 45 seconds)
Feb 18 09:37:21 localhost.localdomain NetworkManager[868]: [1739900241.2021] dhcp4 (eth0): dhclient started with pid 18195
Feb 18 09:37:21 localhost.localdomain NetworkManager[868]: [1739900241.3876] dhcp4 (eth0): address 192.168.0.12
Feb 18 09:37:21 localhost.localdomain NetworkManager[868]: [1739900241.3877] dhcp4 (eth0): plen 24 (255.255.255.0)
Feb 18 09:37:21 localhost.localdomain NetworkManager[868]: [1739900241.3877] dhcp4 (eth0): gateway 192.168.0.1
Feb 18 09:37:21 localhost.localdomain NetworkManager[868]: [1739900241.3877] dhcp4 (eth0): lease time 86400
Feb 18 09:37:21 localhost.localdomain NetworkManager[868]: [1739900241.3877] dhcp4 (eth0): nameserver ‘208.67.222.222’
Feb 18 09:37:21 localhost.localdomain NetworkManager[868]: [1739900241.3877] dhcp4 (eth0): nameserver ‘208.67.220.220’
Feb 18 09:37:21 localhost.localdomain NetworkManager[868]: [1739900241.3877] dhcp4 (eth0): nameserver ‘8.8.8.8’
Feb 18 09:37:21 localhost.localdomain NetworkManager[868]: [1739900241.3877] dhcp4 (eth0): state changed new lease, address=192.168.0.12
Feb 18 09:37:21 localhost.localdomain NetworkManager[868]: [1739900241.3883] policy: set ‘eth0’ (eth0) as default for IPv4 routing and DNS
Feb 18 09:37:21 localhost.localdomain NetworkManager[868]: [1739900241.3887] device (eth0): state change: ip-config → ip-check (reason ‘none’, sys-iface-state: ‘managed’)
Feb 18 09:37:21 localhost.localdomain NetworkManager[868]: [1739900241.4093] device (eth0): state change: ip-check → secondaries (reason ‘none’, sys-iface-state: ‘managed’)
Feb 18 09:37:21 localhost.localdomain NetworkManager[868]: [1739900241.4095] device (eth0): state change: secondaries → activated (reason ‘none’, sys-iface-state: ‘managed’)
Feb 18 09:37:21 localhost.localdomain NetworkManager[868]: [1739900241.4097] manager: NetworkManager state is now CONNECTED_SITE
Feb 18 09:37:21 localhost.localdomain NetworkManager[868]: [1739900241.4100] device (eth0): Activation: successful, device activated.
Feb 18 09:37:21 localhost.localdomain NetworkManager[868]: [1739900241.9545] audit: op=“statistics” interface=“eth0” ifindex=2 args=“2000” pid=1543 uid=1000 result=“success”
Feb 18 09:37:22 localhost.localdomain NetworkManager[868]: [1739900242.2959] manager: NetworkManager state is now CONNECTED_GLOBAL
-----------------------------------------------------------
Network Manager is up and now starting the vpn connection
-----------------------------------------------------------
Feb 18 09:37:24 localhost.localdomain NetworkManager[868]: [1739900244.6377] vpn[0x5630db7b2720,832a6eb4-3006-4b25-a8df-dcf541c472e9,“us-free-1.protonvpn.udp”]: starting openvpn
Feb 18 09:37:24 localhost.localdomain NetworkManager[868]: [1739900244.6380] audit: op=“connection-activate” uuid=“832a6eb4-3006-4b25-a8df-dcf541c472e9” name=“us-free-1.protonvpn.udp” pid=1543 uid=1000 result=“success”
Feb 18 09:37:24 localhost.localdomain nm-openvpn[18387]: OpenVPN 2.5.6 x86_64-suse-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 16 2022
Feb 18 09:37:24 localhost.localdomain nm-openvpn[18387]: library versions: OpenSSL 1.1.1l-fips 24 Aug 2021 SUSE release 150500.17.37.1, LZO 2.10
Feb 18 09:37:24 localhost.localdomain nm-openvpn[18387]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 18 09:37:24 localhost.localdomain nm-openvpn[18387]: TCP/UDP: Preserving recently used remote address: [AF_INET]146.70.230.146:51820
Feb 18 09:37:24 localhost.localdomain nm-openvpn[18387]: UDP link local: (not bound)
Feb 18 09:37:24 localhost.localdomain nm-openvpn[18387]: UDP link remote: [AF_INET]146.70.230.146:51820
Feb 18 09:37:24 localhost.localdomain nm-openvpn[18387]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Feb 18 09:37:25 localhost.localdomain nm-openvpn[18387]: WARNING: ‘link-mtu’ is used inconsistently, local=‘link-mtu 1549’, remote=‘link-mtu 1541’
Feb 18 09:37:25 localhost.localdomain nm-openvpn[18387]: WARNING: ‘auth’ is used inconsistently, local=‘auth [null-digest]’, remote=‘auth SHA1’
Feb 18 09:37:25 localhost.localdomain nm-openvpn[18387]: WARNING: ‘keysize’ is used inconsistently, local=‘keysize 256’, remote=‘keysize 128’
Feb 18 09:37:25 localhost.localdomain nm-openvpn[18387]: [node-us-293.protonvpn.net] Peer Connection Initiated with [AF_INET]146.70.230.146:51820
Feb 18 09:37:26 localhost.localdomain nm-openvpn[18387]: NOTE: setsockopt TCP_NODELAY=1 failed
Feb 18 09:37:26 localhost.localdomain nm-openvpn[18387]: TUN/TAP device tun0 opened
Feb 18 09:37:26 localhost.localdomain nm-openvpn[18387]: /usr/lib/nm-openvpn-service-openvpn-helper --debug 0 18383 --bus-name org.freedesktop.NetworkManager.openvpn.Connection_335 --tun – tun0 1500 1624 10.96.0.113 255.255.0.0 init
Feb 18 09:37:26 localhost.localdomain NetworkManager[868]: [1739900246.3506] manager: (tun0): new Tun device (/org/freedesktop/NetworkManager/Devices/76)
Feb 18 09:37:26 localhost.localdomain NetworkManager[868]: [1739900246.3724] device (tun0): state change: unmanaged → unavailable (reason ‘connection-assumed’, sys-iface-state: ‘external’)
Feb 18 09:37:26 localhost.localdomain NetworkManager[868]: [1739900246.3737] device (tun0): state change: unavailable → disconnected (reason ‘connection-assumed’, sys-iface-state: ‘external’)
Feb 18 09:37:26 localhost.localdomain NetworkManager[868]: [1739900246.3741] device (tun0): Activation: starting connection ‘tun0’ (59195014-306d-4fb7-b75c-30d8ea52a3bc)
Feb 18 09:37:26 localhost.localdomain NetworkManager[868]: [1739900246.3742] device (tun0): state change: disconnected → prepare (reason ‘none’, sys-iface-state: ‘external’)
Feb 18 09:37:26 localhost.localdomain NetworkManager[868]: [1739900246.3744] device (tun0): state change: prepare → config (reason ‘none’, sys-iface-state: ‘external’)
Feb 18 09:37:26 localhost.localdomain NetworkManager[868]: [1739900246.3745] device (tun0): state change: config → ip-config (reason ‘none’, sys-iface-state: ‘external’)
Feb 18 09:37:26 localhost.localdomain NetworkManager[868]: [1739900246.3746] device (tun0): state change: ip-config → ip-check (reason ‘none’, sys-iface-state: ‘external’)
Feb 18 09:37:26 localhost.localdomain nm-openvpn[18387]: GID set to nm-openvpn
Feb 18 09:37:26 localhost.localdomain nm-openvpn[18387]: UID set to nm-openvpn
Feb 18 09:37:26 localhost.localdomain nm-openvpn[18387]: Initialization Sequence Completed
Feb 18 09:37:26 localhost.localdomain NetworkManager[868]: [1739900246.3774] policy: set ‘us-free-1.protonvpn.udp’ (tun0) as default for IPv4 routing and DNS
Feb 18 09:37:26 localhost.localdomain NetworkManager[868]: [1739900246.5055] device (tun0): state change: ip-check → secondaries (reason ‘none’, sys-iface-state: ‘external’)
Feb 18 09:37:26 localhost.localdomain NetworkManager[868]: [1739900246.5056] device (tun0): state change: secondaries → activated (reason ‘none’, sys-iface-state: ‘external’)
Feb 18 09:37:26 localhost.localdomain NetworkManager[868]: [1739900246.5060] device (tun0): Activation: successful, device activated.
------------------------------------------------
Dumping the current /etc/resolv.conf symlink
------------------------------------------------
### /etc/resolv.conf is a symlink to /run/netconfig/resolv.conf
### autogenerated by netconfig!
#
# Before you change this file manually, consider to define the
# static DNS configuration using the following variables in the
# /etc/sysconfig/network/config file:
# NETCONFIG_DNS_STATIC_SEARCHLIST
# NETCONFIG_DNS_STATIC_SERVERS
# NETCONFIG_DNS_FORWARDER
# or disable DNS configuration updates via netconfig by setting:
# NETCONFIG_DNS_POLICY=‘’
#
# See also the netconfig(8) manual page and other documentation.
#
### Call “netconfig update -f” to force adjusting of /etc/resolv.conf.
nameserver 10.96.0.1
nameserver 8.8.8.8
nameserver 8.8.4.4
-----------------------------------------------------
What are Googles DNS addresses doing inserted into this file?
-----------------------------------------------------
Carefully checking shows that under the IPV4 tab in eth0 configuration that
DNS Servers: 8.8.8.8, 8.8.4.4
are set, and no where else is this found, not in Network Manager nor protonvpn config
so apparently these addresses are picked up from eth0 and pushed into the resolv.conf symlink file
----------------------------------------------------------------------
Manually disconnecting tun0 vpn connection from the NetworkManager
----------------------------------------------------------------------
Feb 18 09:47:56 localhost.localdomain NetworkManager[868]: [1739900876.1474] audit: op=“statistics” interface=“eth0” ifindex=2 args=“2000” pid=1543 uid=1000 result=“success”
Feb 18 09:47:59 localhost.localdomain NetworkManager[868]: [1739900879.2807] audit: op=“connection-deactivate” uuid=“832a6eb4-3006-4b25-a8df-dcf541c472e9” name=“us-free-1.protonvpn.udp” pid=1543 uid=1000 result=“success”
Feb 18 09:47:59 localhost.localdomain NetworkManager[868]: [1739900879.4210] policy: set ‘eth0’ (eth0) as default for IPv4 routing and DNS
Feb 18 09:47:59 localhost.localdomain nm-openvpn[18387]: SIGTERM received, sending exit notification to peer
Feb 18 09:48:00 localhost.localdomain nm-openvpn[18387]: /bin/ip addr del dev tun0 10.96.0.113/16
Feb 18 09:48:00 localhost.localdomain NetworkManager[19330]: RTNETLINK answers: Operation not permitted
Feb 18 09:48:00 localhost.localdomain nm-openvpn[18387]: Linux ip addr del failed: external program exited with error status: 2
Feb 18 09:48:00 localhost.localdomain NetworkManager[868]: [1739900880.7472] device (tun0): state change: activated → unmanaged (reason ‘unmanaged’, sys-iface-state: ‘removed’)
Feb 18 09:48:00 localhost.localdomain nm-openvpn[18387]: SIGTERM[soft,exit-with-notification] received, process exiting
NOTE: /etc/resolv.conf now shows ONLY
nameserver 8.8.8.8
nameserver 8.8.4.4
Manually activating the openvpn us-free-1.protonvpn.udp.ovpn config
journal file shows
Feb 18 09:52:19 localhost.localdomain NetworkManager[868]: [1739901139.6742] manager: (tun0): new Tun device (/org/freedesktop/NetworkManager/Devices/79)
Feb 18 09:52:19 localhost.localdomain NetworkManager[868]: [1739901139.6916] device (tun0): state change: unmanaged → unavailable (reason ‘connection-assumed’, sys-iface-state: ‘external’)
Feb 18 09:52:19 localhost.localdomain NetworkManager[868]: [1739901139.6919] device (tun0): state change: unavailable → disconnected (reason ‘connection-assumed’, sys-iface-state: ‘external’)
Feb 18 09:52:19 localhost.localdomain NetworkManager[868]: [1739901139.6924] device (tun0): Activation: starting connection ‘tun0’ (cf771b2e-9ae5-4564-8ec4-8420f690470d)
Feb 18 09:52:19 localhost.localdomain NetworkManager[868]: [1739901139.6925] device (tun0): state change: disconnected → prepare (reason ‘none’, sys-iface-state: ‘external’)
Feb 18 09:52:19 localhost.localdomain NetworkManager[868]: [1739901139.6927] device (tun0): state change: prepare → config (reason ‘none’, sys-iface-state: ‘external’)
Feb 18 09:52:19 localhost.localdomain NetworkManager[868]: [1739901139.6928] device (tun0): state change: config → ip-config (reason ‘none’, sys-iface-state: ‘external’)
Feb 18 09:52:19 localhost.localdomain NetworkManager[868]: [1739901139.6930] device (tun0): state change: ip-config → ip-check (reason ‘none’, sys-iface-state: ‘external’)
Feb 18 09:52:19 localhost.localdomain NetworkManager[868]: [1739901139.7262] device (tun0): state change: ip-check → secondaries (reason ‘none’, sys-iface-state: ‘external’)
Feb 18 09:52:19 localhost.localdomain NetworkManager[868]: [1739901139.7264] device (tun0): state change: secondaries → activated (reason ‘none’, sys-iface-state: ‘external’)
Feb 18 09:52:19 localhost.localdomain NetworkManager[868]: [1739901139.7332] device (tun0): Activation: successful, device activated.
and resolv.conf shows
% ls -adl /etc/resolv.conf
lrwxrwxrwx 1 root root 26 Feb 18 09:22 /etc/resolv.conf → /run/netconfig/resolv.conf
% cat /etc/resolv.conf
# Generated by resolvconf
nameserver 10.96.0.1
And this is what is necessary to keep DNS leaks from happening
As already mentioned dns-priority (man nm-settings) is your friend here:
DNS priority. The relative priority to be used when determining the order of DNS servers in resolv.conf. A lower value means that servers will be on top of the file. Zero selects the default value, which is 50 for VPNs and 100 for other connections. When multiple devices have configurations with the same priority, the one with an active default route will be preferred. Note that when using dns=dnsmasq the order is meaningless since dnsmasq forwards queries to all known servers at the same time. Negative values have the special effect of excluding other configurations with a greater priority value; so in presence of at least a negative priority, only DNS servers from configurations with the lowest priority value will be used.
Removing the static DNS addresses from the DNS tab for eth0 fixed the resolv.conf file, but now I see lingering DNS addresses from normal link operation (without a vpn activated) when checking this at https://www.dnscheck.tools/
From running the DNS check, the output is
Hello! Your public IP addresses are:
GLOBALAXS-MNT
- 146.70.230.149 ns: a.ns.ns247.net Los Angeles, >California, US
Your DNS resolvers are:
Cloudflare
- 162.158.89.23 ns: cruz.ns.cloudflare.com Los Angeles, >California, US
- 162.158.89.29 ns: cruz.ns.cloudflare.com Los Angeles, >California, US
- 162.158.185.11 ns: cruz.ns.cloudflare.com Los >Angeles, California, US
- 162.158.185.163 ns: cruz.ns.cloudflare.com Los >Angeles, California, US
- 172.69.32.211 ns: cruz.ns.cloudflare.com Los Angeles, >California, US
- 172.69.32.212 ns: cruz.ns.cloudflare.com Los Angeles, >California, US
- 172.70.205.166 ns: cruz.ns.cloudflare.com Los >Angeles, California, US
- 172.70.205.167 ns: cruz.ns.cloudflare.com Los >Angeles, California, US
- 172.70.209.36 ns: cruz.ns.cloudflare.com Los Angeles, >California, US
- 172.70.209.38 ns: cruz.ns.cloudflare.com Los Angeles, >California, US
- 172.70.209.39 ns: cruz.ns.cloudflare.com Los Angeles, >California, US
- 172.70.213.18 ns: cruz.ns.cloudflare.com Los Angeles, >California, US
- 172.70.213.161 ns: cruz.ns.cloudflare.com Los >Angeles, California, US
CLOUDFLARE_2400_CB00_0000_36
- 2400:cb00:12:1024::ac45:20d3 ns: >chloe.ns.cloudflare.com Los Angeles, California, US
- 2400:cb00:12:1024::ac45:20d4 ns: >chloe.ns.cloudflare.com Los Angeles, California, US
- 2400:cb00:445:1024::ac46:cda6 ns: >chloe.ns.cloudflare.com Los Angeles, California, US
- 2400:cb00:445:1024::ac46:cda7 ns: >chloe.ns.cloudflare.com Los Angeles, California, US
- 2400:cb00:446:1024::ac46:d124 ns: >chloe.ns.cloudflare.com Los Angeles, California, US
- 2400:cb00:446:1024::ac46:d126 ns: >chloe.ns.cloudflare.com Los Angeles, California, US
- 2400:cb00:446:1024::ac46:d127 ns: >chloe.ns.cloudflare.com Los Angeles, California, US
- 2400:cb00:447:1024::ac46:d512 ns: >chloe.ns.cloudflare.com Los Angeles, California, US
- 2400:cb00:447:1024::ac46:d5a1 ns: >chloe.ns.cloudflare.com Los Angeles, California, US
- 2400:cb00:618:1024::a29e:b90b ns: >chloe.ns.cloudflare.com Los Angeles, California, US
- 2400:cb00:618:1024::a29e:b9a3 ns: >chloe.ns.cloudflare.com Los Angeles, California, US
- 2400:cb00:619:1024::a29e:5917 ns: >chloe.ns.cloudflare.com Los Angeles, California, US
- 2400:cb00:619:1024::a29e:591d ns: >chloe.ns.cloudflare.com Los Angeles, California, US
GLOBALAXS-MNT
- 146.70.230.147 ns: a.ns.ns247.net Los Angeles, >California, US
- 146.70.230.148 ns: a.ns.ns247.net Los Angeles, >California, US
- 146.70.230.149 ns: a.ns.ns247.net Los Angeles, >California, US
- 146.70.230.150 ns: a.ns.ns247.net Los Angeles, >California, US
- 2a0d:5600:4f:23::11 ns: pri.authdns.ripe.net Los >Angeles, California, US
- 2a0d:5600:4f:23::12 ns: pri.authdns.ripe.net Los >Angeles, California, US
- 2a0d:5600:4f:23::13 ns: pri.authdns.ripe.net Los >Angeles, California, US
- 2a0d:5600:4f:23::14 ns: pri.authdns.ripe.net Los >Angeles, California, US
Great! Your DNS responses are authenticated with DNSSEC:
|ECDSA P-256|ECDSA P-384|Ed25519|
| — | — | — | — |
|Good signature|✓|✓|✓|
|Bad signature|✓|✓|✓|
|Expired signature|✓|✓|✓|
|Missing signature|✓|✓|✓|
Why are these DNS addresses lingering around?
Deano and arvidjaar:
Even though the resolv.conf file entries show only 1 DNS address, the correct one associated with the vpn config, I am still getting DNS leakage, it seems to be from the router now.
I am going to have to stay with manual openvpn for now.
Thanks for your help
Randall
Deano: I was able to add the ProtonVPN configs using the -1 priority and that localized to the DNS IPs that ProtonVPN wanted to use. Thank you for the information.
1 Like
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.