OS: macOS Mojave 10.14 (18A389)
Current network setup:
- Local domain:
home.rossipedia.com - Subnet:
172.16.10.0/24 - Gateway / DHCP server / DNS server:
172.16.10.1
Output of scutil --dns:
DNS configuration
resolver #1
search domain[0] : home.rossipedia.com
nameserver[0] : 172.16.10.1
if_index : 21 (en8)
flags : Request A records
reach : 0x00020002 (Reachable,Directly Reachable Address)
resolver #2
domain : local
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300000
... (mdns common stuff)...
DNS configuration (for scoped queries)
resolver #1
search domain[0] : home.rossipedia.com
nameserver[0] : 172.16.10.1
if_index : 21 (en8)
flags : Scoped, Request A records
reach : 0x00020002 (Reachable,Directly Reachable Address)
This works fine. I can find *.home.rossipedia.com hosts without issue.
However, the moment I connect to a L2TP VPN, my system gets reconfigured to use the VPN DNS servers to resolve hosts on my home search domain.
$ scutil --dns
DNS configuration
resolver #1
search domain[0] : home.rossipedia.com
nameserver[0] : x.x.x.x <- VPN DNS SERVER 1
nameserver[1] : x.x.x.x <- VPN DNS SERVER 2
if_index : 23 (ppp0)
flags : Supplemental, Request A records
reach : 0x00000003 (Reachable,Transient Connection)
order : 100000
resolver #2
nameserver[0] : 172.16.10.1
if_index : 21 (en8)
flags : Request A records
reach : 0x00020002 (Reachable,Directly Reachable Address)
order : 200000
... (mdns common stuff)...
The scoped queries configuration looks right, though:
DNS configuration (for scoped queries)
resolver #1
search domain[0] : home.rossipedia.com
nameserver[0] : 172.16.10.1
if_index : 21 (en8)
flags : Scoped, Request A records
reach : 0x00020002 (Reachable,Directly Reachable Address)
resolver #2
search domain[0] : first.vpn.domain
search domain[1] : second.vpn.domain
nameserver[0] : x.x.x.x
nameserver[1] : x.x.x.x
if_index : 23 (ppp0)
flags : Scoped, Request A records
reach : 0x00000003 (Reachable,Transient Connection)
In my Network System Preferences, I have the VPN connection last in the Service Order dialog. If I move the VPN connection to before my ethernet connection, then my local DNS server doesn't show up in the resolver list at all (while connected to the VPN):
$ scutil --dns
DNS configuration
resolver #1
search domain[0] : first.vpn.domain
search domain[1] : second.vpn.domain
nameserver[0] : x.x.x.x
nameserver[1] : x.x.x.x
if_index : 23 (ppp0)
flags : Supplemental, Request A records
reach : 0x00000003 (Reachable,Transient Connection)
order : 100000
resolver #2
nameserver[0] : x.x.x.x <- these are the same as above
nameserver[1] : x.x.x.x
if_index : 23 (ppp0)
flags : Request A records
reach : 0x00000003 (Reachable,Transient Connection)
order : 200000
... (mdns common stuff)...
What I want:
Ideally, what I'd like to see when connection to a VPN is something like:
$ scutil --dns
DNS configuration
resolver #1
search domain[0] : home.rossipedia.com
nameserver[0] : 172.16.10.1
if_index : 21 (en8)
flags : Request A records
reach : 0x00020002 (Reachable,Directly Reachable Address)
resolver #2
search domain[0] : first.vpn.domain
search domain[1] : second.vpn.domain
nameserver[0] : x.x.x.x
nameserver[1] : x.x.x.x
if_index : 23 (ppp0)
flags : Supplemental, Request A records
reach : 0x00000003 (Reachable,Transient Connection)
order : 100000
... (mdns common stuff)...
This way I could resolve all *.home.rossipedia.com hosts via my local DNS server at 172.16.10.1, and any hosts on my VPN domain would be resolved using the VPN DNS servers.
I've tried changing the order of services in the Network pref pane, changing the local domain on the DNS/DHCP server, deleting and re-creating the VPN connection, nothing has worked so far.
Is this possible? Or am I misunderstanding how this all works?
Best Answer
My case was very similar. This worked:
Ordered VPN connection first in Service Order dialog -- which removes local DNS server, as you noted;
Created additional resolver for local lan:
After that, both local and remote hosts became accessible via FQDN, such as
host.first.vpn.domainandother.home.rossipedia.com.