DNS Leak Prevention¶

Without proper DNS configuration, your DNS queries may leak outside the VPN tunnel, revealing which domains you visit to your ISP or local network.

How DNS Leaks Happen¶

When you connect to a VPN, your traffic is encrypted and routed through the VPN server. However, DNS queries are often handled separately by your operating system's DNS resolver, which may send queries to your ISP's DNS servers directly:

Without DNS proxy:
┌──────────────┐         ┌─────────────┐
│ Your device  │ ──────► │ ISP DNS     │ ← DNS leak!
│              │         └─────────────┘
│ ── VPN ────► │         ┌─────────────┐
└──────────────┘ ──────► │ VPN Server  │ ← Regular traffic
                        └─────────────┘

Even if your web traffic goes through the VPN tunnel, your ISP can see every domain you resolve.

How r-vpn DNS Proxy Prevents Leaks¶

The r-vpn DNS proxy runs locally on your device. It receives DNS queries and forwards them through the encrypted VPN tunnel to the server, which resolves them:

With DNS proxy enabled:
┌──────────────┐         ┌─────────────┐
│ Your device  │         │ ISP DNS     │ ← Not used
│              │         └─────────────┘
│ [DNS proxy]  │ ──────► │ VPN Server  │ ← Encrypted tunnel
└──────────────┘         └─────────────┘

Your ISP sees no DNS queries. All DNS resolution happens inside the encrypted tunnel.

Split Tunnel Integration¶

The DNS proxy respects split tunnel rules:

Domain type	Behaviour
Bypassed domains	Resolved locally (not through VPN)
Blocked domains (ads/trackers)	Return NXDOMAIN immediately
All other domains	Resolved through VPN tunnel

This means: - Domestic streaming sites you bypass resolve locally (no VPN overhead) - Ad-blocker works without sending requests to the VPN server - All other domains are private

Setup¶

macOS¶

1. Enable DNS proxy in client.toml:

[dns_proxy]
enabled        = true
listen_address = "127.0.0.1:53"

2. Run the client with root privileges (required to bind port 53):

sudo rvpn -c ~/.config/rvpn/client.toml

3. Configure system DNS:

System Settings -> Network -> your connection -> Details -> DNS

Add 127.0.0.1 as the primary DNS server. Remove any other entries.

Or via command line:

sudo networksetup -setdnsservers Wi-Fi 127.0.0.1

To verify:

# Should show 127.0.0.1
networksetup -getdnsservers Wi-Fi

# Should return your VPN server's IP
dig @127.0.0.1 api.ipify.org

To restore original DNS:

sudo networksetup -setdnsservers Wi-Fi empty

Linux¶

Option 1: Direct resolv.conf

Run the client as root:

sudo rvpn -c ~/.config/rvpn/client.toml

Edit /etc/resolv.conf:

nameserver 127.0.0.1

Option 2: systemd-resolved (recommended)

Add to /etc/systemd/resolved.conf:

[Resolve]
DNS=127.0.0.1

Then restart:

sudo systemctl restart systemd-resolved

Verify:

resolvectl status | grep DNS

Linux with NetworkManager¶

Edit connection: nm-connection-editor
IPv4 Settings -> Method: Manual
Add DNS server: 127.0.0.1
Save and reconnect

Testing for DNS leaks¶

Visit these sites with your VPN connected:

https://dnsleaktest.com
https://ipleak.net
https://browserleaks.com/dns

The DNS servers shown should be your VPN server's DNS (or the dns_servers configured in your server.toml), not your ISP's DNS.

How DNS Resolution Works in TUN Mode¶

In TUN mode, the client receives dns_servers from the server via DHCP and automatically uses them. The DNS proxy is still recommended when using SOCKS5 mode, as TUN mode has built-in DNS handling.

Server DNS configuration¶

[server.network]
nat_enabled = true
dhcp_range   = "10.200.0.0/24"
dns_servers  = ["1.1.1.1", "8.8.8.8"]

These DNS servers are pushed to TUN clients. The client uses them directly for DNS resolution.

Custom DNS Servers¶

To use specific DNS providers through the VPN tunnel:

Server-side (pushed to TUN clients):

[server.network]
dns_servers = ["1.1.1.1", "8.8.8.8"]   # Cloudflare + Google

Or privacy-focused:

dns_servers = ["privacy.wikipedia.org", "dns.sb"]

Client-side in SOCKS5 mode:

The DNS proxy forwards to the server, which resolves using dns_servers. To use specific DNS through the tunnel, configure them on the server.

DNS-over-HTTPS and DNS-over-TLS¶

R-VPN does not proxy raw DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) requests from client applications.

The local DNS proxy intercepts traditional UDP DNS queries from the operating system. For domains that should go through the tunnel, it forwards them to the server via R-VPN's encrypted WebSocket tunnel using a custom DNS protocol (not DoH or DoT). The server resolves these using its standard system DNS resolver. There is currently no server-side DoH/DoT configuration available.

Troubleshooting DNS Issues¶

Domains not resolving¶

Verify DNS proxy is running: dig @127.0.0.1 example.com
Check the listen_address in client.toml matches your system DNS setting
Try a different DNS server: dig @8.8.8.8 example.com

DNS proxy not starting¶

Port 53 may be in use: sudo lsof -i :53
Try port 5353 instead (no root required)

Slow DNS resolution¶

Try different DNS servers (Cloudflare 1.1.1.1 is typically fastest)
Reduce dns_cache_ttl in client.toml for frequently changing domains

DNS leaking despite proxy¶

Ensure no other DNS settings exist in system settings
Check browser DNS settings (Firefox can override system DNS)
Chrome (desktop/Android): Disable Secure DNS in Chrome settings: Settings → Privacy and security → Security → Use secure DNS → turn it off. Then clear Chrome's DNS cache: navigate to chrome://net-internals/#dns and click Clear host cache.
iOS Chrome: If sites fail to resolve, force-close the app or clear browsing data to flush the DNS cache.
Ensure no VPN-less DNS resolver is running (e.g., mDNSResponder)