🛠️ [SOLVED] Astrill/Commercial VPN DNS Fix for Fedora (No need to disable systemd-resolved!)

Hello Fedora Community,

I wanted to share a persistent fix for getting VPNs like Astrill (and likely many others that use legacy DNS injection) working perfectly on Fedora.

If your VPN DNS isn’t working on Fedora, the usual advice is to disable systemd-resolved. That’s messy and unnecessary.

The real culprit is the resolve plugin in /etc/nsswitch.conf:

hosts: files myhostname mdns4_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] dns

Unlike Ubuntu/Mint, which skip resolve, Fedora intercepts DNS queries via systemd-resolved, bypassing /etc/resolv.conf.

Fix:

sudo sed -i 's/resolve \[!UNAVAIL=return\] //g' /etc/nsswitch.conf
sudo systemctl restart systemd-resolved NetworkManager

Now the hosts line looks like:

hosts: files myhostname mdns4_minimal [NOTFOUND=return] dns

DNS queries flow through /etc/resolv.conf, just like on Ubuntu/Mint, and your VPN works without disabling systemd-resolved.

That said, there are only two cases here:

• resolv.conf points to 127.0.0.53, systemd-resolved. In this case, you have achieved nothing.
• resolv.conf does not point to 127.0.0.53. In this case, you really have effectively disabled systemd-resolved, even if the service is still running.

Thanks, Michael — you’re absolutely right, and I wasn’t clear enough in my original post: the fix I described means that systemd‑resolved will only function normally when the VPN is not active. When the VPN is active and overwrites /etc/resolv.conf, the resolve [!UNAVAIL=return] removal effectively bypasses systemd-resolved and routes DNS via the injected nameservers instead. When the VPN is deactivated, the original resolv.conf is restored though.

I still believe this is a less intrusive solution compared to fully disabling the service, since it retains systemd-resolved for the non-VPN case and only sidesteps it during the VPN session.