Network Manager DNS Caching Without DNS Leaks Using systemd-resolved
Status: Assistant
Joined: 09 Sep 2008
Posts: 740
Reply Quote
The default DNS caching method in NetworkManager is dnsmasq. It works well enough for most people but has a serious design bug that causes DNS leaks when using VPN through NetworkManager [1].

How does this happen? NetworkManager uses dbus to send dnsmasq a new list of nameservers when connecting to VPN. Instead of discarding the current list, like say,, or whatever your ISP gave you, it adds the new nameservers to its rotation.

For example, if your nameserver was previously pointing at your router, like, and your VPN's nameserver is, after connecting to your VPN, you will send half of your requests to, and the other half to This is a huge security failure can leak self-incriminating DNS requests to a public DNS server, especially when one is using VPN to research sensitive topics.

To fix these DNS leaks but also preserve the DNS caching dnsmasq is typically used for, you can use systemd-resolved. In it's default configuration, it listens to requests on and caches most nameservers for about 5 minutes maximum. The good part is when NetworkManager gives systemd-resolved a new list of nameservers, it erases the previous ones from rotation, preventing DNS leaks outside the VPN itself.

How to set up:

1a. Enable and start systemd-resolved.

You can first start and enable systemd-resolved to run at start with the following commands:
:: Code ::
# systemctl enable systemd-resolved.service
# systemctl start systemd-resolved.service

1b. Install nss-resolve module

If you're running Debian or Ubuntu, make sure the nss-resolve module is installed.

:: Code ::
# apt-get install libnss-resolve:amd64 libnss-resolve:i386

Or if you're system is only one architecture, simply install libnss-resolve.

1c. Configure /etc/nsswitch.conf

Edit /etc/nsswitch.conf, and make sure the following line is before dns on the hosts line.

resolve [!UNAVAIL=return]

If you need a more visual example, explains what you need to do:

2. Update NetworkManager.conf

Edit /etc/NetworkManager/NetworkManager.conf, and update the dns= line to dns=systemd-resolved. If your configuration is empty (as is on new distributions), you can simply add the following:

:: Code ::

3. Restart NetworkManager.

You can issue a restart, but I found that that sometime causes the plasma NM icon to disappear. Stopping, waiting, then starting tends to avoid that problem.

:: Code ::
# systemctl stop NetworkManager.service
# systemctl start NetworkManager.service

You're done! Enjoy DNS caching through VPN without DNS leaks.


Why do DNS queries fail randomly and succeed after some persistence? Probably because you might be running a mixed network that has DNSSEC support, while some DNS servers in your rotation do not. For example, if your router is providing DNS caching, but you're also falling back to a Google DNS like The short term fix is to turn off DNSSEC.

Edit /etc/systemd/resolved.conf, uncomment or add the line for DNSSEC, and set it equal to no. It should be, DNSSEC=no

Back to top
Display posts from previous:   

All times are GMT - 8 Hours