Regarding your first question, how does the VPN change the default DNS, I don't know the mechanism, but OSX provides programmatic access to networking settings via the DynamicStore APIs as well as via utilities like networksetup
and scutil
. This Apple doc has more info on how the settings are maintained internally. I would suppose built-in or third party-defined VPNs use those facilities.
Regarding your second question, how to stop the change, you can manually set the DNS associated with the VPN by going into Network Prefeferences, choosing the VPN network, going into Advanced, and inserting your own DNS servers there. Also, it might suffice simply to change the "service order" via the settings drop down button in the Network Preferences pane. If the WiFi or Ethernet network is listed before the VPN network, then its DNS may take precedence in some cases.
However, probably your problem is more subtle and what you would actually like is to use the VPN's DNS servers for certain domain names (assets inside the VPN) and your normal DNS servers for the rest of the Internet. This is not what's happening now because the VPN's DNS servers are serving all your DNS queries.
If you lookup the OSX man page on resolver(5)
, and especially the section SEARCH STRATEGY, you can see that OSX has an internal mechanism which allows you to define multiple DNS resolvers, where some resolves serve some domains (like *.mycompany.com) and other resolvers serve everything else. However, this cannot be configured from the Network Preferences pane.
It seems you can configure this partly by adding resolver configuration files into /etc/resolvers. However, I don't know if those would take precedence over the ones installed by your VPN. If they do not, your next best bet would be to use scutil to explicitly edit and replace the DNS settings created by the VPN client. If you run scutil, and do
show State:/Network/Global/DNS
you will probably see the offending DNS settings created by your VPN client. You should be able to remove or modify them using the scutil interactive commands.
You should also verify the VPN is not breaking routing to the Internet. Usenetstat -r
before and after starting the VPN to see what happens to the default route, in order to check that.
Best Answer
It is super easy, once you get the light:
Uninstall
instead ofEasy install
.And there you go.