Thanks for the pcap. Some extracts with comments: # queries are apparently sent in parallel 12:31:29.821205 IP 127.0.0.1.58683 > 127.0.0.1.53: 7913+ A? v6r6wsfsgj.dnsleaktest.com. (44) 12:31:29.821307 IP 127.0.0.1.40453 > 127.0.0.53.53: 37214+ A? v6r6wsfsgj.dnsleaktest.com. (44) 12:31:29.821586 IP 127.0.0.1.59554 > 127.0.0.1.53: 40498+ [1au] A? v6r6wsfsgj.dnsleaktest.com. (77) # 192.168.0.1 is probably your LAN's resolver/ISP provided router (this is the leak) 12:31:29.821655 IP 192.168.0.104.56226 > 192.168.0.1.53: 675+ [1au] A? v6r6wsfsgj.dnsleaktest.com. (77) # 209.222.18.218 is resolver2.privateinternetaccess.com (what you should be using exclusively to avoid leaks) 12:31:29.821725 IP 10.68.10.6.46982 > 209.222.18.218.53: 8175+ [1au] A? v6r6wsfsgj.dnsleaktest.com. (77) # responses 12:31:29.865576 IP 209.222.18.218.53 > 10.68.10.6.46982: 8175 NXDomain 0/1/1 (102) 12:31:29.873446 IP 192.168.0.1.53 > 192.168.0.104.56226: 675 NXDomain 0/1/1 (102)
So it looks like systemd-resolved asked the same query roughly simultaneously (70 microsecond interval) to 192.168.0.1 and 209.222.18.218. The systemd-resolved(8) man page explains this: > Multi-label names are routed to all local interfaces that have a DNS sever > configured, plus the > globally configured DNS server if there is one. [...] > > If lookups are routed to multiple interfaces, the first successful response > is returned (thus > effectively merging the lookup zones on all matching interfaces). If the > lookup failed on all > interfaces, the last failing response is returned. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1685391 Title: DNS leak in Xubuntu 17.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1685391/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
