As you accept using dnsmasq, how about this:

  1. Point your resolv.conf to 127.0.0.1 (nameserver 127.0.0.1)
  2. Try this config on your dnsmasq:
server=/internal.example.com/192.168.1.53
server=8.8.8.8

This would use 192.168.1.53 for domain "internal.example.com" and 8.8.8.8 for everything else.

Take a look at "-S, --local, --server=" option on dnsmasq man page.

Update: You may also want to disable DHCP, so to avoid conflicts with your local router. Maybe listening only on lo (127.0.0.1) interface.


It is possible to make dns priority with

nmcli -p connection modify MY_VPN_CONNECTION ipv4.dns-priority -42

found this here https://github.com/systemd/systemd/issues/6076


Thanks to JucaPirama's answer for the direction I needed, this is my final setup using dnsmasq in front of systemd-resolved.

Disable the systemd-resolved stub DNS server. In /etc/systemd/resolved.conf change

#DNSStubListener=yes

to

DNSStubListener=no

Restart systemd-resolved.

sudo systemctl restart systemd-resolved

Install dnsmasq.

sudo apt-get install dnsmasq

Setup dnsmasq. In /etc/dnsmasq.conf, use systemd-resolved's resolv.conf file by changing

#resolv-file=/etc/resolv.conf

to

resolv-file=/run/systemd/resolve/resolv.conf

Set the VPN's DNS server for just its domains by adding

server=/internal.example.com/192.168.1.53

Disable DHCP to prevent any potential conflicts by changing

#no-dhcp-interface=

to

no-dhcp-interface=

Restart dnsmasq.

sudo systemctl restart dnsmasq

Unlink /etc/resolv.conf from systemd-resolved's configuration.

sudo unlink /etc/resolv.conf

Edit /etc/resolv.conf to use dnsmasq. This step might not be needed because Network Manager at some point overrode it to point to 127.0.0.53 anyway.

nameserver 127.0.0.53