Use local DNS server for LAN and VPN provider's DNS server for WAN
Posted: Fri Sep 13, 2019 9:22 pm
Hi all,
I have been extensively looking around forums and here, but have not found a working and viable solution for the following problem. (I have also seen the script in the goodies section, but it relies on TAP and my VPN provider only does TUN, so I cannot use that script).
The situation is as follows:
With my mac (mojave 10.14.6, viscosity 1.7.16) I would like to access:
-local machines on the lan directly through ethernet or wifi, local machines names to be resolved via the local DNS server (the VPN provider's DNS server doesn't know my machines anyway!)
-machines on the internet via Viscosity, internet machine names to be resolved via the DNS server of my VPN provider (it would also work through my local DNS server, but that represents at DNS leak, which I want to avoid!)
The problem is, that I did not find a configuration where macOS is using the DNS servers in a useful order.
I figure it would be best, if the DNS server of the VPN provider is queried first, so no DNS leak occurs.
For local machine names that would return NXDOMAIN and then the macOS resolver should ask the local DNS server.
However, no matter how I configure Viscosity (Full DNS, Split DNS, specify none, 1 or 2 DNS servers), only the first DNS server (depending on the setting that is the VPN DNS server or the loca DNS server) is queried, but if that returns NXDOMAIN, the other DNS server does not get queried!
To be clear:
I want to resolve everything on the internet via the VPN DNS server. So it is not possible to specify a finite list of search domains for that.
I use the local machine names without a local network domain! The file server has the DNS name "filer", the mail server is "mailer", and so on. All this is configured in many applications like this for a long time, so I am reluctant to introduce a ".lan" domain.
In the current situation I can either
-resolve both, names on the LAN and on the internet via the local DNS server, but the VPN DNS server is not used and this is an unwanted DNS leak.
-resolve names on the internet using the VPN DNS server, but have to use IP addresses for machines on the LAN, which is clearly also not very elegant
Why this is so is not clear to me - if I look into scutil --dns I can see that the local DNS server is indeed assigned to interface "en0" and search domain "lan", and the VPN DNS server is assigned to utun10 and the search domain "utun10.viscosity". Maybe someone can explain what is happening here when I resolve a local machine name.
I know that I could put the local names into /etc/hosts, but this solution is not very elegant, if I re-assign IP addresses or introduce new names on the local DNS server this screams for inconsistencies.
Overall, I can live, but I am not fully happy.
Maybe you have a solution for the problem?
I have been extensively looking around forums and here, but have not found a working and viable solution for the following problem. (I have also seen the script in the goodies section, but it relies on TAP and my VPN provider only does TUN, so I cannot use that script).
The situation is as follows:
With my mac (mojave 10.14.6, viscosity 1.7.16) I would like to access:
-local machines on the lan directly through ethernet or wifi, local machines names to be resolved via the local DNS server (the VPN provider's DNS server doesn't know my machines anyway!)
-machines on the internet via Viscosity, internet machine names to be resolved via the DNS server of my VPN provider (it would also work through my local DNS server, but that represents at DNS leak, which I want to avoid!)
The problem is, that I did not find a configuration where macOS is using the DNS servers in a useful order.
I figure it would be best, if the DNS server of the VPN provider is queried first, so no DNS leak occurs.
For local machine names that would return NXDOMAIN and then the macOS resolver should ask the local DNS server.
However, no matter how I configure Viscosity (Full DNS, Split DNS, specify none, 1 or 2 DNS servers), only the first DNS server (depending on the setting that is the VPN DNS server or the loca DNS server) is queried, but if that returns NXDOMAIN, the other DNS server does not get queried!
To be clear:
I want to resolve everything on the internet via the VPN DNS server. So it is not possible to specify a finite list of search domains for that.
I use the local machine names without a local network domain! The file server has the DNS name "filer", the mail server is "mailer", and so on. All this is configured in many applications like this for a long time, so I am reluctant to introduce a ".lan" domain.
In the current situation I can either
-resolve both, names on the LAN and on the internet via the local DNS server, but the VPN DNS server is not used and this is an unwanted DNS leak.
-resolve names on the internet using the VPN DNS server, but have to use IP addresses for machines on the LAN, which is clearly also not very elegant
Why this is so is not clear to me - if I look into scutil --dns I can see that the local DNS server is indeed assigned to interface "en0" and search domain "lan", and the VPN DNS server is assigned to utun10 and the search domain "utun10.viscosity". Maybe someone can explain what is happening here when I resolve a local machine name.
I know that I could put the local names into /etc/hosts, but this solution is not very elegant, if I re-assign IP addresses or introduce new names on the local DNS server this screams for inconsistencies.
Overall, I can live, but I am not fully happy.
Maybe you have a solution for the problem?