Page 1 of 1

Use local DNS server for LAN and VPN provider's DNS server for WAN

Posted: Fri Sep 13, 2019 9:22 pm
by donnie
Hi all,

I have been extensively looking around forums and here, but have not found a working and viable solution for the following problem. (I have also seen the script in the goodies section, but it relies on TAP and my VPN provider only does TUN, so I cannot use that script).

The situation is as follows:

With my mac (mojave 10.14.6, viscosity 1.7.16) I would like to access:
-local machines on the lan directly through ethernet or wifi, local machines names to be resolved via the local DNS server (the VPN provider's DNS server doesn't know my machines anyway!)
-machines on the internet via Viscosity, internet machine names to be resolved via the DNS server of my VPN provider (it would also work through my local DNS server, but that represents at DNS leak, which I want to avoid!)

The problem is, that I did not find a configuration where macOS is using the DNS servers in a useful order.
I figure it would be best, if the DNS server of the VPN provider is queried first, so no DNS leak occurs.
For local machine names that would return NXDOMAIN and then the macOS resolver should ask the local DNS server.

However, no matter how I configure Viscosity (Full DNS, Split DNS, specify none, 1 or 2 DNS servers), only the first DNS server (depending on the setting that is the VPN DNS server or the loca DNS server) is queried, but if that returns NXDOMAIN, the other DNS server does not get queried!

To be clear:
I want to resolve everything on the internet via the VPN DNS server. So it is not possible to specify a finite list of search domains for that.
I use the local machine names without a local network domain! The file server has the DNS name "filer", the mail server is "mailer", and so on. All this is configured in many applications like this for a long time, so I am reluctant to introduce a ".lan" domain.

In the current situation I can either
-resolve both, names on the LAN and on the internet via the local DNS server, but the VPN DNS server is not used and this is an unwanted DNS leak.
-resolve names on the internet using the VPN DNS server, but have to use IP addresses for machines on the LAN, which is clearly also not very elegant

Why this is so is not clear to me - if I look into scutil --dns I can see that the local DNS server is indeed assigned to interface "en0" and search domain "lan", and the VPN DNS server is assigned to utun10 and the search domain "utun10.viscosity". Maybe someone can explain what is happening here when I resolve a local machine name.

I know that I could put the local names into /etc/hosts, but this solution is not very elegant, if I re-assign IP addresses or introduce new names on the local DNS server this screams for inconsistencies.

Overall, I can live, but I am not fully happy.

Maybe you have a solution for the problem?

Re: Use local DNS server for LAN and VPN provider's DNS server for WAN

Posted: Sun Sep 15, 2019 3:55 pm
by James
Hi donnie,

It's possible to accomplish what you're after. Essentially you want a sort of "reverse" Split-DNS, where DNS lookups use the VPN connection by default except for the domain you specify, along with using that domain as a search domain so you can access hosts by a single name without needing to type any domain extensions.

I've outlined the steps you'll need to take below:

1. You will need to change the DNS records (or add additional) on your DNS server to use a domain extension. In this example I've used "myhome" (as that is what I tested with), however "lan" should probably work as well (macOS does have some reserved names, so if it doesn't work try something else). For example, create a record for "filer.myhome" on your DNS server.

2. Set your Viscosity VPN connection to use Full DNS mode. This will ensure DNS lookups use the VPN's DNS server by default.

3. Create "resolver" record in macOS. In this example I've used 192.168.0.1 as the local DNS server, how adjust that to be your local DNS server's IP address before entering the commands. You'll need to enter these into the Terminal (/Applications/Utilities/Terminal).
Code: Select all
sudo mkdir /etc/resolver
echo "nameserver 192.168.0.1" | sudo tee -a /etc/resolver/myhome
echo "domain myhome" | sudo tee -a /etc/resolver/myhome
echo "search myhome" | sudo tee -a /etc/resolver/myhome

4. You're done. Connect your VPN connection and try pinging both "filer.myhome" and just "filer" and make sure they resolve.

Cheers,
James