Arch Linux

badgerbanger

Member

Registered: 2024-11-26

Posts: 16

[Solved]DNS leak with fresh arch install but this time using systemd

With a fresh install of arch and the only changes being that I am trying systemd and lvm. My last install did not leak but I didn't use systemd.

I run mullvad vpn on a openwrt router with arch wire connected. (wireguard on router)

It appears to leak sporadically, or maybe periodically - haven't observed it enough yet.
It is just the arch desktop, no other device on the network leaks.

I did notice that upon installing kde plasma, it installed network-manager also. Does plasma require networkmanager? can both be used at the same time?
No parameters are active in the /etc/systemd/resolved.conf file.
The /etc/resolv.conf file is empty.
I also installed iwd incase I require my mobo boards' wifi one day - not sure if that is pertinent.

Any ideas?

Last edited by badgerbanger (2024-12-02 07:04:01)

-thc

Member

Registered: 2017-03-15

Posts: 853

Re: [Solved]DNS leak with fresh arch install but this time using systemd

With a fresh install of arch and the only changes being that I am trying systemd and lvm. My last install did not leak but I didn't use systemd.

Do you mean systemd-networkd for network setup and systemd-resolved for DNS?

I run mullvad vpn on a openwrt router with arch wire connected. (wireguard on router)

I'm sorry - what? That doesn't make any sense to me.

I did notice that upon installing kde plasma, it installed network-manager also. Does plasma require networkmanager? can both be used at the same time?

No - they will cause trouble. AKAIK only the "plasma-nm" applet requires NetworkManager.

No parameters are active in the /etc/systemd/resolved.conf file.

O.K. (see first reply)

The /etc/resolv.conf file is empty.

That is not as it should be.

I also installed iwd incase I require my mobo boards' wifi one day - not sure if that is pertinent.

Make sure iwd is inactive and disabled.

Last edited by -thc (2024-11-26 17:46:08)

badgerbanger

Member

Registered: 2024-11-26

Posts: 16

Re: [Solved]DNS leak with fresh arch install but this time using systemd

First of all, props for the half life avatar!

Do you mean systemd-networkd for network setup and systemd-resolved for DNS?
            Yes, exactly.

I'm sorry - what? That doesn't make any sense to me.
             I'll clarify: I thought it pertinent to mention that my VPN isn't on my desktop but rather running on my router - so that my entire home goes through mullvad VPN, using the wireguard protocol.
Does that make sense?

No - they will cause trouble. AKAIK only the "plasma-nm" applet requires NetworkManager.
              Ah rats I chose the wrong desktop environment then. It wasn't evident to me since plasma works fine with systemd boot.
Is there anything I can do?

Make sure iwd is inactive and disabled.
               Done.

Thanks for the super fast reply.

-thc

Member

Registered: 2017-03-15

Posts: 853

Re: [Solved]DNS leak with fresh arch install but this time using systemd

First of all, props for the half life avatar!

I'll clarify: I thought it pertinent to mention that my VPN isn't on my desktop but rather running on my router - so that my entire home goes through mullvad VPN, using the wireguard protocol.
Does that make sense?

Yes. But you just connect your Arch box via wire to the router? And the configuration is done via DHCP?

Ah rats I chose the wrong desktop environment then. It wasn't evident to me since plasma works fine with systemd boot.
Is there anything I can do?

You could switch to a combination of NetworkManager and systemd-resolved for a more consistent GUI experience or uninstall plasma-nm and NetworkManager to rely on systemd only but without GUI representation.

Scimmia

Fellow

Registered: 2012-09-01

Posts: 12,592

Re: [Solved]DNS leak with fresh arch install but this time using systemd

No - they will cause trouble. AKAIK only the "plasma-nm" applet requires NetworkManager.
              Ah rats I chose the wrong desktop environment then. It wasn't evident to me since plasma works fine with systemd boot.
Is there anything I can do?

To be clear here, they were saying that you can't use NetworkManager alongside systemd-networkd. Using Plasma with systemd-networkd is fine.

badgerbanger

Member

Registered: 2024-11-26

Posts: 16

Re: [Solved]DNS leak with fresh arch install but this time using systemd

Yes. But you just connect your Arch box via wire to the router? And the configuration is done via DHCP?
            Yes, exactly, here's my config file:

cat /etc/systemd/network/20-wired.network
[Match]
Name=enp14s0

[Link]
RequiredForOnline=routable

[Network]
DHCP=yes

Ok thanks guys, I've removed plasma-nm and networkmanager using pacman -Rs flags. So far so good for DNS leaks...but still testing.

EDIT: still leaking

Last edited by badgerbanger (2024-11-27 07:33:34)

badgerbanger

Member

Registered: 2024-11-26

Posts: 16

Re: [Solved]DNS leak with fresh arch install but this time using systemd

The /etc/resolv.conf file is empty.

That is not as it should be.

For future search purposes of this thread.
I've figured out that this file was meant to have symlink to /run/systemd/resolv/resolv.conf /etcresolv.conf

cat /etc/resolv.conf     
# Resolver configuration file.
# See resolv.conf(5) for details.
[remgee@archangel ~]$ sudo rm /etc/resolv.conf
[remgee@archangel ~]$ sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf
[remgee@archangel ~]$ cat /etc/resolv.conf
# This is /run/systemd/resolve/resolv.conf managed by man:systemd-resolved(8).
# Do not edit.
#
# This file might be symlinked as /etc/resolv.conf. If you're looking at
# /etc/resolv.conf and seeing this text, you have followed the symlink.
#
# This is a dynamic resolv.conf file for connecting local clients directly to
# all known uplink DNS servers. This file lists all configured search domains.
#
# Third party programs should typically not access this file directly, but only
# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a
# different way, replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 8.8.8.8
nameserver fdc9:fcdb:2690::1
search .

I also switched to a static IP address but no change.

-thc

Member

Registered: 2017-03-15

Posts: 853

Re: [Solved]DNS leak with fresh arch install but this time using systemd

No - the preferred way to configure systemd-resolved is this stub symlink:

lrwxrwxrwx 1 root root 37 Oct 30  2023 /etc/resolv.conf -> /run/systemd/resolve/stub-resolv.conf

This linked file should reference "127.0.0.53" (which means your local systemd-resolved process).

systemd-resolved in turn should set the DNS servers on your network link according to the DHCP answer:

resolvectl

Last edited by -thc (2024-11-28 13:56:08)

badgerbanger

Member

Registered: 2024-11-26

Posts: 16

Re: [Solved]DNS leak with fresh arch install but this time using systemd

No - the preferred way to configure systemd-resolved is this stub symlink:

lrwxrwxrwx 1 root root 37 Oct 30  2023 /etc/resolv.conf -> /run/systemd/resolve/stub-resolv.conf

This linked file should reference "127.0.0.53" (which means your local systemd-resolved process).

systemd-resolved in turn should set the DNS servers on your network link according to the DHCP answer:

resolvectl

I actually found my error earlier today while trolling around the arch wiki and corrected
I am greeted with the following now:

[remgee@archangel ~]$ cat /etc/resolv.conf
# This is /run/systemd/resolve/stub-resolv.conf managed by man:systemd-resolved(8).
# Do not edit.
#
# This file might be symlinked as /etc/resolv.conf. If you're looking at
# /etc/resolv.conf and seeing this text, you have followed the symlink.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "resolvectl status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs should typically not access this file directly, but only
# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a
# different way, replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 127.0.0.53
options edns0 trust-ad
search .

I also figured out by the wiki that I needed to add my loop back device its own config file also so I did that.

However, my problem of DNS leakage pesisted.
This is the results from resolvectl so far:

[remgee@archangel ~]$ resolvectl
Global
           Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: stub
  Current DNS Server: 10.64.0.1
         DNS Servers: 10.64.0.1
Fallback DNS Servers: 1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net 8.8.8.8#dns.google
                      2606:4700:4700::1111#cloudflare-dns.com 2620:fe::9#dns.quad9.net 2001:4860:4860::8888#dns.google
          DNS Domain: ~.

Link 2 (enp14s0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 10.64.0.1
       DNS Servers: 10.64.0.1 fdc9:fcdb:2690::1

Link 3 (wlan0)
    Current Scopes: none
         Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported

I changed DNS globally and in my wired eth0 file to the ip given by my vpn as it was something else. Just testing now.

One question; under the link 2 device, for 'DNS servers'; where is it obtaining -what looks like a ipv6 address from? 'fdc9:fcdb:2690::1'?

-thc

Member

Registered: 2017-03-15

Posts: 853

Re: [Solved]DNS leak with fresh arch install but this time using systemd

I also figured out by the wiki that I needed to add my loop back device its own config file also so I did that.

With systemd-networkd? What?

I changed DNS globally and in my wired eth0 file to the ip given by my vpn as it was something else. Just testing now.

Why? To what? Is 10.64.0.x your routers home network?

If your router acts as a Mullvad VPN client and does everything correct - your machine should work with the IP addresses of your router as DNS servers. If there is a leak then something on your router isn't right.

One question; under the link 2 device, for 'DNS servers'; where is it obtaining -what looks like a ipv6 address from? 'fdc9:fcdb:2690::1'?

There is a very long answer and a shorter one: This is an IPv6 ULA address (functionally comparable to non-routeable IPv4 addresses like 10.x.y.z) and probably that of your router (provided by your router).

Last edited by -thc (2024-11-28 16:48:55)

badgerbanger

Member

Registered: 2024-11-26

Posts: 16

Re: [Solved]DNS leak with fresh arch install but this time using systemd

With systemd-networkd? What?

Yes, I created a file for the loop back device as per instructions given by AI.
I think the problem with this blind following of instructions is that arch wiki is substantially large and I was trying to skip to relevant sections. I have since slowed down, read the entire wiki on networking, which has helped me understand a little better. The arch wiki does not seem to say anything about creating a file for the lo device so I am not sure where AI referenced that from.

Why? To what? Is 10.64.0.x your routers home network?
If your router acts as a Mullvad VPN client and does everything correct - your machine should work with the IP addresses of your router as DNS servers. If there is a leak then something on your router isn't right.

I set the DNS in each devices' file to 10.64.0.x which according to mullvad's specifications. I am guessing this is mullvad's own DNS resolver address?
I set the router up based upon mullvad's tutortials. I assume that it is correctly configured because I never leaked DNS before and on any other device.

It appears that, by making that change with the DNS address(not the lo device), my DNS leak is fixed. No leaks so far.

Last edited by badgerbanger (2024-11-29 10:20:54)

-thc

Member

Registered: 2017-03-15

Posts: 853

Re: [Solved]DNS leak with fresh arch install but this time using systemd

Okay - I've learned something: Mullvad's VPN-internal DNS servers are 10.8.0.1 for OpenVPN and 10.64.0.1 for WireGuard - but they are IPv4 only.

Your router seem to have advertised itself via IPv6 as the IPv6 DNS server - that's a possible leak (classic IPv6 bypass).

badgerbanger

Member

Registered: 2024-11-26

Posts: 16

Re: [Solved]DNS leak with fresh arch install but this time using systemd

Really? how do I confirm that this might be the case? the drill command maybe?

-thc

Member

Registered: 2017-03-15

Posts: 853

Re: [Solved]DNS leak with fresh arch install but this time using systemd

There are several VPN leak test websites to check this - Mullvad has one too: https://mullvad.net/en/check

This possible leak should only occur under rare circumstances. According to your configration:

[remgee@archangel ~]$ resolvectl
Global
           Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: stub
  Current DNS Server: 10.64.0.1
         DNS Servers: 10.64.0.1
Fallback DNS Servers: 1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net 8.8.8.8#dns.google
                      2606:4700:4700::1111#cloudflare-dns.com 2620:fe::9#dns.quad9.net 2001:4860:4860::8888#dns.google
          DNS Domain: ~.

Link 2 (enp14s0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 10.64.0.1
       DNS Servers: 10.64.0.1 fdc9:fcdb:2690::1

Link 3 (wlan0)
    Current Scopes: none
         Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported

systemd-resolved should only fall back to "fdc9:fcdb:2690::1" if 10.64.0.1 is unavailable or not responding.

If you want to know, what happens in this case, set "fdc9:fcdb:2690::1" globally and check the leak test again.

Last edited by -thc (2024-11-29 17:07:20)

badgerbanger

Member

Registered: 2024-11-26

Posts: 16

Re: [Solved]DNS leak with fresh arch install but this time using systemd

Wouldn't running a DNS lookup perform the same if it returns 127.0.0.53?

$ drill any fdc9:fcdb:2690::1
;; ->>HEADER<<- opcode: QUERY, rcode: REFUSED, id: 34627
;; flags: qr aa rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; fdc9:fcdb:2690::1.   IN      ANY

;; ANSWER SECTION:

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; SERVER: 127.0.0.53
;; WHEN: Fri Nov 29 18:41:01 2024
;; MSG SIZE  rcvd: 35
[remgee@archangel ~]$

This is a good thing, right?

set "fdc9:fcdb:2690::1" globally and check the leak test again.

I'll check it out now

-thc

Member

Registered: 2017-03-15

Posts: 853

Re: [Solved]DNS leak with fresh arch install but this time using systemd

Wouldn't running a DNS lookup perform the same if it returns 127.0.0.53?

Nope - this just tells you systemd-resolved is working .

If you flush the caches and query via resolvectl:

resolvectl flush-caches
resolvectl query dns.google

systemd-resolved only tells you that it received the answer from the current active DNS server ("network").

You need a separate leak test.

badgerbanger

Member

Registered: 2024-11-26

Posts: 16

Re: [Solved]DNS leak with fresh arch install but this time using systemd

Wouldn't running a DNS lookup perform the same if it returns 127.0.0.53?

Nope - this just tells you systemd-resolved is working .

If you flush the caches and query via resolvectl:

resolvectl flush-caches
resolvectl query dns.google

systemd-resolved only tells you that it received the answer from the current active DNS server ("network").

You need a separate leak test.

You were correct Sir!
Setting that Ipv6 globally caused a leak.

How do I go about to fix this issue?

-thc

Member

Registered: 2017-03-15

Posts: 853

Re: [Solved]DNS leak with fresh arch install but this time using systemd

As I mentioned earlier,

- if this IPv6 address is that of the router and your router acts as a DNS proxy (or forwarder or "server") and
- if the Mullvad VPN client on the router works correctly

your router should forward your DNS requests to 10.64.0.1. That's not what's happening.

You can
- check the router and it's VPN configuration why DNS requests from clients are not send to Mullvad or
- disable accepting IPv6 router advertisements on the LAN interface (should lead to a LAN interface with a link-local address only)

badgerbanger

Member

Registered: 2024-11-26

Posts: 16

Re: [Solved]DNS leak with fresh arch install but this time using systemd

Just a question before I embark on this problem -because I need to stop to learn more networking terminology to solve this, would this have anything to do with the fact that I am on starlink?
Just a hunch on this, but when I first installed arch on my system; right from the start I ran into a problem which took me time to figure out. That is, I could not ping archlinux.org to verify internet connectivity. I later found that I could curl archlinux.org and get a return, and that it has something to do with ipv6 and starlink.
Apologies for the long question, and thanks for all the help so far!

Last edited by badgerbanger (2024-12-01 07:43:08)

-thc

Member

Registered: 2017-03-15

Posts: 853

Re: [Solved]DNS leak with fresh arch install but this time using systemd

That is, I could not ping archlinux.org to verify internet connectivity. I later found that I could curl archlinux.org and get a return, and that it has something to do with ipv6 and starlink.

Maybe starlink is in part responsible - but we need more info on that.

- Does your generation of starlink dish fully support IPv6?
- Do you use a separate router?

badgerbanger

Member

Registered: 2024-11-26

Posts: 16

Re: [Solved]DNS leak with fresh arch install but this time using systemd

That is, I could not ping archlinux.org to verify internet connectivity. I later found that I could curl archlinux.org and get a return, and that it has something to do with ipv6 and starlink.

Maybe starlink is in part responsible - but we need more info on that.

- Does your generation of starlink dish fully support IPv6?
- Do you use a separate router?

Yes, I have gen2 dishy and I have the starlink router bypassed in bridge mode to my openwrt router.
I can see a lot of information on ipv6 on the status page of my router, albeit I do not fully understand what I am looking at.
I followed the recommended install instructions from mullvad to set up openwrt.

-thc

Member

Registered: 2017-03-15

Posts: 853

Re: [Solved]DNS leak with fresh arch install but this time using systemd

Did you follow https://mullvad.net/en/help/running-wireguard-router? If you did, the hints are there: Mullvad doesn't provide direct IPv6 via VPN (only via SOCKS5 proxy) and the VPN only routes IPv4 traffic by default.

Do you need IPv6 on the client?

badgerbanger

Member

Registered: 2024-11-26

Posts: 16

Re: [Solved]DNS leak with fresh arch install but this time using systemd

Both no and yes.
Yes I read this, but at the time I don't think I understood what it was - I thought it didn't apply to me at the time, based on my limited understanding.

I applied the changes in my openwrt file:

/etc/config/network
config wireguard_WGINTERFACE
        option public_key 'xxxxx'
        option endpoint_host 'xxx.xxx.xxx.xx'
        option endpoint_port '51820'
        option route_allowed_ips '1'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::0/0'

Can I check that I am correctly making changes to the config files in systemd to test for the DNS leak, because I am still getting DNS leak after making the above change, and the Ipv6 address is still appearing from the standard output of resolvectl. (Unless I need to restart my router after changes)
I did not edit the wired interface file(enp14s0) but /etc/systemd/resolved.conf.d/dns_servers.conf to the following:

[remgee@archangel ~]$ cat /etc/systemd/resolved.conf.d/dns_servers.conf
[Resolve]
DNS=fdc9:fcdb:2690::1
#FallbackDNS=9.9.9.9
#DNSOverTLS=yes
Domains=~.

resolvectl

[remgee@archangel ~]$ resolvectl
Global
           Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: stub
  Current DNS Server: fdc9:fcdb:2690::1
         DNS Servers: fdc9:fcdb:2690::1
Fallback DNS Servers: 1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net
                      8.8.8.8#dns.google 2606:4700:4700::1111#cloudflare-dns.com
                      2620:fe::9#dns.quad9.net 2001:4860:4860::8888#dns.google
          DNS Domain: ~.

Link 2 (enp14s0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 10.64.0.1
       DNS Servers: 10.64.0.1 fdc9:fcdb:2690::1

Link 3 (wlan0)
    Current Scopes: none
         Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported

oh and no, I do not need ipv6

Last edited by badgerbanger (2024-12-01 12:09:23)

-thc

Member

Registered: 2017-03-15

Posts: 853

Re: [Solved]DNS leak with fresh arch install but this time using systemd

I applied the changes in my openwrt file:

/etc/config/network
config wireguard_WGINTERFACE
        option public_key 'xxxxx'
        option endpoint_host 'xxx.xxx.xxx.xx'
        option endpoint_port '51820'
        option route_allowed_ips '1'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::0/0'

Please check (after rebooting your router) via Web interface that the value "Allowed IPs" contain both values.

I did not edit the wired interface file(enp14s0) but /etc/systemd/resolved.conf.d/dns_servers.conf to the following:

 
[remgee@archangel ~]$ cat /etc/systemd/resolved.conf.d/dns_servers.conf 
[Resolve]
DNS=fdc9:fcdb:2690::1 
#FallbackDNS=9.9.9.9
#DNSOverTLS=yes
Domains=~.

resolvectl

 [remgee@archangel ~]$ resolvectl
Global
           Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: stub
  Current DNS Server: fdc9:fcdb:2690::1
         DNS Servers: fdc9:fcdb:2690::1
Fallback DNS Servers: 1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net
                      8.8.8.8#dns.google 2606:4700:4700::1111#cloudflare-dns.com
                      2620:fe::9#dns.quad9.net 2001:4860:4860::8888#dns.google
          DNS Domain: ~.

Link 2 (enp14s0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 10.64.0.1
       DNS Servers: 10.64.0.1 fdc9:fcdb:2690::1

Link 3 (wlan0)
    Current Scopes: none
         Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported

Please delete "/etc/systemd/resolved.conf.d/dns_servers.conf" - and if the directory is empty, you can delete it too.

Reconfigure enp14s0 like this:

[Match]
Name=enp14s0

[Network]
DHCP=yes
IPv6AcceptRA=no

[DHCPv4]
UseDNS=yes

You can remove the global DNS server in "resolved.conf" - but you don't need to.

This should lead to the following configuration:
- OpenWRT routes IPv4 and IPv6 through the tunnel
- resolvectl should show only the routers IPv4 address as "DNS servers" for the Ethernet interface
- no DNS leak

badgerbanger

Member

Registered: 2024-11-26

Posts: 16

Re: [Solved]DNS leak with fresh arch install but this time using systemd

I applied the changes in my openwrt file:

/etc/config/network
config wireguard_WGINTERFACE
        option public_key 'xxxxx'
        option endpoint_host 'xxx.xxx.xxx.xx'
        option endpoint_port '51820'
        option route_allowed_ips '1'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::0/0'

Please check (after rebooting your router) via Web interface that the value "Allowed IPs" contain both values.

Values are indeed persistent

resolvectl

Global
           Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: stub
Fallback DNS Servers: 1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net
                      8.8.8.8#dns.google 2606:4700:4700::1111#cloudflare-dns.com
                      2620:fe::9#dns.quad9.net 2001:4860:4860::8888#dns.google

Link 2 (enp14s0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 10.64.0.1
       DNS Servers: 10.64.0.1

Link 3 (wlan0)
    Current Scopes: none
         Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
[remgee@archangel /]$

I think it has worked!