ExpressVPN on Raspberry Pi keeps changing DNS settings (does not revert DNS settings)

So I’ve been playing around with some Raspberry Pi 4’s and on one of them I’ve been using the ARM version of the ExpressVPN client.
What I noticed is that while connected to the VPN I could no longer DNS resolve the names of internal network resources via the DNS server on my router or my internal LAN-based DNS resolving server.
Routing was all fine so it wasn’t to do with the VPN tunnel itself.
Stranger still was that disconnecting the client did not resolve the issue; only a reboot seemed to fix things.

Note that I have configured the client to not use their DNS servers in the first place!!

expressvpn preferences set force_vpn_dns off

Detective-mode: enabled

So I dutifully had a look at my /etc/resolv.conf file and guess what I found?

luis@tor1:~ $ cat /etc/resolv.conf

# Generated by expressvpn

search expressvpn

nameserver 10.96.0.1

This makes a little sense since the client, like many others, has a so-called DNS-leak prevention system and so the client is doing here is making sure that your DNS queries can’t get picked up by a third-party (except them of course!). it not honouring the setting to turn it off is another problem….

However, when I disconnect the client then the file stays exactly the same!
It should have reverted to my default/original settings.

Incidentally, my DNS client settings are being managed from:

“/etc/dhcpcd.conf” with a static domain_name_server directive.

A bit more digging and I discovered that there was a symbolic link between a resolv.conf file in the Express VPN directory and “/etc/resolv.conf”

luis@tor1:~ $ ls -l /etc/resolv.conf

lrwxrwxrwx 1 root root 31 Sep 23 20:58 /etc/resolv.conf -> /var/lib/expressvpn/resolv.conf

So I decided to have a looked at this directory with the VPN disconnected:

luis@tor1:~ $ ls -l /var/lib/expressvpn/ 

total 124

drwxr-xr-x 2 root root   4096 Sep 18 23:26 certs

drwx—— 2 root root   4096 Sep 23 21:45 data

drwxr-xr-x 2 root root   4096 Sep 18 23:29 icons

-rw-r–r– 1 root root    106 Sep 23 21:38 resolv.conf

-rw——- 1 root root 102764 Sep 23 21:35 userdata2.dat

The linked file (bold) won’t be very interesting at first because it’s supposed to be in sync but something very interesting happens when the VPN client initiates the connection:

luis@tor1:~ $ ls -l /var/lib/expressvpn/

total 132

drwxr-xr-x 2 root root   4096 Sep 18 23:26 certs

-rw——- 1 root root     32 Sep 23 21:51 config.pass

-rw——- 1 root root     50 Sep 23 21:51 credentials

drwx—— 2 root root   4096 Sep 23 21:51 data

drwxr-xr-x 2 root root   4096 Sep 18 23:29 icons

-rw-r–r– 1 root root     65 Sep 23 21:51 resolv.conf

lrwxrwxrwx 1 root root     31 Sep 23 20:58 resolv.conf.orig -> /var/lib/expressvpn/resolv.conf

-rw——- 1 root root 102764 Sep 23 21:51 userdata2.dat

Here we can see (bold emphasis added) that a soft-link has been created where:

There is an obvious problem with this:

So what do you do about it?

sudo resolvconf -u

sudo systemctl restart systemd-resolved.service