VPN Split DNS behaviour

Question

Created 5d

Replies 2

Boosts 0

Participants 2

I encountered an undesired DNS behaviour when using L2TP/ipsec VPN.

I have DHCP configured Wi-Fi connection, which send dns servers and search domain (192.168.0.10, lan) VPN sends its own DNS server (10.0.0.2), search domain (intranet) is added manually in VPN DNS config settings.

I expect, when VPN is connected, to be still able to resolve local names, i.e some-host.lan. However, they become unresolvable.

quick check shows that the remote dns server is used to resolve local names.

shilishper@mac ~ % host -v some-host.lan     
Trying "some-host.lan"
Host some-host.lan not found: 3(NXDOMAIN)
Received 106 bytes from 10.0.0.2#53 in 16 ms
Received 106 bytes from 10.0.0.2#53 in 16 ms

Actually, all dns queries are going to the remote server. I would expect that only queries for the configured domain (intranet) should go to that server. I played with the service order, but it didn't change anything.

Is anything can be done about this, programmatically?

PS new to macOS, but have extensive linux knowledge

Answered by DTS Engineer in 859180022

It sounds like your VPN configuration is claiming the default route [1]. When it does that, the system uses its VPN’s DNS resolver by default. See this post.

Is anything can be done about this, programmatically?

No. Well, not directly.

When using the built-in VPN transports, like L2TP, there are three ways to configure the VPN:

Manually in System Settings
Via a configuration profile
Programmatically, using the Personal VPN feature

The first two don’t support folks programmatically tweaking the configuration.

The last one gives you some control over VPN configuration, but it doesn’t let you change the default route. That’s determined based on the configuration coming back from the VPN server.

ps For VPN configuration issues, you might have more luck asking over in the Apple Support Community, run by Apple Support, and specifically in the Business and Education topic area. DevForums is primarily focused on APIs, and that’s a small part of the picture here.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] That’s the most likely option, so it’s what I’m assuming in the rest of my reply, but there is another possibility, namely that it’s set an empty match domain.

Boost

Answer 1

DTS Engineer OP

Apple

5d

Accepted Answer

Recommended

It sounds like your VPN configuration is claiming the default route [1]. When it does that, the system uses its VPN’s DNS resolver by default. See this post.

Is anything can be done about this, programmatically?

No. Well, not directly.

When using the built-in VPN transports, like L2TP, there are three ways to configure the VPN:

Manually in System Settings
Via a configuration profile
Programmatically, using the Personal VPN feature

The first two don’t support folks programmatically tweaking the configuration.

The last one gives you some control over VPN configuration, but it doesn’t let you change the default route. That’s determined based on the configuration coming back from the VPN server.

ps For VPN configuration issues, you might have more luck asking over in the Apple Support Community, run by Apple Support, and specifically in the Business and Education topic area. DevForums is primarily focused on APIs, and that’s a small part of the picture here.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] That’s the most likely option, so it’s what I’m assuming in the rest of my reply, but there is another possibility, namely that it’s set an empty match domain.

1

Answer 2

Shilishper OP

4d

Thank you, yeah, I figured out that the split dns just doesn't work out of box, VPN just inserts its DNS server into the first place in the list of resolvers and there is no way around it.

I hoped that there is the swift way to manipulate this list, as I couldn't find a reasonable way to do it from the shell script. Then I planned to hook this program into the vpn connection state monitor. Anyway, I have found about /etc/resover, so, at least, name resolution for my local network now works.

Thanks again

Any

0