One can also configure your DNS Resolution in your local machine; not just in your router. This has a few benefit.

It’s router agnostic. If you were to use a laptop in a public wifi or anywhere else, your machine would still route your traffic to your desired DNS nameservers and not that of the wifi’s ISP.

Secondly, if you were to use a VPN, it adds that extra layer protection from DNS leakage. DNS Leakage happens when your DNS queries goes through undesired DNS nameservers – ISP’s to name a few – before having your requested traffic tunneled through your Virtual Private Network (VPN). That defeats the whole purpose of having a VPN. What you want is to route all traffic, both the content requested and the DNS queries, through your VPN.

On Debian-based distros, make sure that systemd-resolved & resolvconf is installed.

$ sudo apt install systemd-resolved resolvconf -y

Enable, start the services systemd-resolved and check:

$ sudo systemctl enable systemd-resolved
$ sudo systemctl start systemd-resolved
$ sudo systemctl status systemd-resolved

Edit the systemd-resolved configuration:

$ sudo nano /etc/systemd/resolved.conf

Add or modify these lines, then save:

[Resolve] 
DNS=8.8.8.8 
FallbackDNS=8.8.4.4 
DNSStubListener=no

Side-note, the above resolves to DNS nameservers belonging to Google’s. CloudFlare’s 1.1.1.1 & 1.0.0.1. A quick google search yields many more public DNS nameservers you can choose.

Restart systemd-resolved:

$ sudo systemctl restart systemd-resolved

Now, configure NetworkManager to use systemd-resolved:

$ sudo nano /etc/NetworkManager/NetworkManager.conf

Add or modify the following:

[main]
dns=systemd-resolved

Restart NetworkManager & create a symlink for resolv.conf:

$ sudo systemctl restart NetworkManager
$ sudo ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf

Done. Do a quick google search on testing DNS Leakage. They all should return you your desired public DNS nameservers & not of your ISP’s.