NetworkManager ignores `/etc/resolv.conf`

theskpaul · February 26, 2026, 10:23pm

I recently switched to NixOS, and everything works well. But no matter how much I try, I can’t configure DNS. In Arch, I just added my DNS to /etc/resolv.conf, but here I have to declare it under networking.nameservers. I did that and also tried multiple other settings, but nothing works. Whenever I run a DNS leak test, I see several Google DNS servers and one or two Cloudflare servers instead of the nameservers I configured.

networking = {
  hostName = "Gingerbread"; # Define your hostname.
  useDHCP = false;
  dhcpcd.enable = false;
  nameservers = [
     "194.242.2.6"
     "2a07:e340::6"
     "1.1.1.3"
     "1.0.0.3"
     "2606:4700:4700::1113"
     "2606:4700:4700::1003"
  ];
  networkmanager = {
    enable = true;
    dns = "none";
    wifi.powersave = false;
  };
  nftables.enable = true;
};

Output of /etc/resolv.conf:

# Generated by resolvconf
nameserver 194.242.2.6
nameserver 2a07:e340::6
nameserver 1.1.1.3
nameserver 1.0.0.3
nameserver 2606:4700:4700::1113
nameserver 2606:4700:4700::1003
options edns0

Where I am doing wrong? Thanks in advance.

waffle8946 · February 26, 2026, 10:39pm

This will ignore the resolv.conf, so don’t do this.

theskpaul · February 27, 2026, 3:33am

I removed dns = "none", but there was no change — the DNS leak test still shows several Google and Cloudflare servers.

TLATER · February 27, 2026, 4:26am

Try with dig to verify your configuration first; browsers sometimes set up DoH these days.

theskpaul · February 27, 2026, 6:52am

To make it much more simple to debug, I removed most of the nameservers and kept only two:

nameservers = [
     "1.1.1.3"
     "1.0.0.3"
  ];

After that I ran dig nixos.org and got:

; <<>> DiG 9.20.18 <<>> nixos.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16435
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: c4d5a162e67c60ff0100000069a13e87f12a4410682e5dc4 (good)
;; QUESTION SECTION:
;nixos.org.			IN	A

;; ANSWER SECTION:
nixos.org.		1949	IN	A	99.83.231.61
nixos.org.		1949	IN	A	75.2.60.5

;; Query time: 71 msec
;; SERVER: 192.168.1.1#53(192.168.1.1) (UDP)
;; WHEN: Fri Feb 27 12:19:43 IST 2026
;; MSG SIZE  rcvd: 98

theskpaul · February 27, 2026, 8:23am

Update:

this DNS server is appearing because I removed dns="none", that allows NetworkManager to edit /etc/resolv.conf, which adds 192.168.1.1 at the top of all of my nameservers in /etc/resolv.conf.

So, I re-added dns="none" and got:

; <<>> DiG 9.20.18 <<>> nixos.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4826
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 4716c6051efd4ea80100000069a151ce3db54dfd540a4da5 (good)
;; QUESTION SECTION:
;nixos.org.			IN	A

;; ANSWER SECTION:
nixos.org.		1300	IN	A	99.83.231.61
nixos.org.		1300	IN	A	75.2.60.5

;; Query time: 18 msec
;; SERVER: 1.1.1.3#53(1.1.1.3) (UDP)
;; WHEN: Fri Feb 27 13:41:58 IST 2026
;; MSG SIZE  rcvd: 98

As you can see, it’s now using 1.1.1.3 as set. I checked to make sure DoH is off in my browsers and it is set to use dns set on OS but still dnsleaktest shows a bunch of Google servers.

RianKellyIT · April 6, 2026, 10:56am

Your dig output tells you exactly what is happening. The line:

;; SERVER: 192.168.1.1#53(192.168.1.1) (UDP)

means the system is sending DNS queries to your router, not to 1.1.1.3. Even though you have networking.nameservers configured, NetworkManager is overwriting /etc/resolv.conf with the DNS server your router pushes via DHCP. Most home routers advertise themselves (192.168.1.1) as the DNS server in DHCP responses.

The advice in the second reply was unfortunately backwards. Setting dns = "none" in the NetworkManager config tells NM to leave /etc/resolv.conf alone, which is exactly what you want when you are managing DNS statically through networking.nameservers. Without that setting, NM rewrites resolv.conf every time it connects using whatever DNS the DHCP server hands out, overriding your configuration.

Put dns = "none" back, but pair it with the right nameservers config:

networking = {
  nameservers = [
    "1.1.1.3"
    "1.0.0.3"
    "2606:4700:4700::1113"
    "2606:4700:4700::1003"
  ];
  networkmanager = {
    enable = true;
    dns = "none";
  };
};

After nixos-rebuild switch, check /etc/resolv.conf manually to confirm it contains your nameservers:

cat /etc/resolv.conf

Then run dig again and look at the SERVER line:

dig nixos.org

It should now show 1.1.1.3 or 1.0.0.3 instead of 192.168.1.1.

If you want a more robust setup that also handles systemd-resolved and avoids conflicts, the alternative is to use resolved as the local DNS stub:

services.resolved = {
  enable = true;
  fallbackDns = [
    "1.1.1.3"
    "1.0.0.3"
  ];
};
networking.networkmanager.dns = "systemd-resolved";

This routes all DNS through systemd-resolved on 127.0.0.53, which forwards upstream to your chosen servers when it cannot resolve locally. The advantage is that you also get DNSSEC and DNS-over-TLS support if you want it later.

Either approach fixes the root problem, which is NM overwriting your DNS configuration via DHCP.