Mac OS X Mountain Lion - DNS resolving uses wrong order on VPN via dial-up connection

macos dns vpn

I had the same problem on my Mac, and after fixing it I have figured out that it was caused by FortiClient (VPN client). Even when FortiClient was disconnected - it's DNS still appeared in the scutil.

The solution for me was:

scutil
> list ".*DNS"

This will show you a list of all DNS configs, that will look something like:

subKey [0] = State:/Network/Global/DNS <br>
subKey [1] = State:/Network/MulticastDNS<br>
subKey [2] = State:/Network/OpenVPN/DNS<br>
subKey [3] = State:/Network/OpenVPN/OldDNS<br>
subKey [4] = State:/Network/PrivateDNS<br>
subKey [5] = State:/Network/Service/forticlientsslvpn/DNS <br>

To check each of them run: (until you find the problematic one)

> get key_name
> d.show

…and to fix it run:

> get key_name
> d.remove ServerAddresses
> set key_name

This is how it looked on my machine:

> get State:/Network/Service/forticlientsslvpn/DNS 
> d.show
<dictionary> {
  ServerAddresses : <array> {
    0 : 192.168.30.6
    1 : 192.168.30.15
  }
  SupplementalMatchDomains : <array> {
    0 :
  }
  SupplementalMatchOrders : <array> {
    0 : 100000
  }
}
> d.remove ServerAddresses
> d.show
<dictionary> {
  SupplementalMatchDomains : <array> {
    0 :
  }
  SupplementalMatchOrders : <array> {
    0 : 100000
  }
}
> set State:/Network/Service/forticlientsslvpn/DNS
> exit

This is still happening in 10.13.0

I have opened a bug report with Apple. It's not normal that "ping internalhostname" works but "host internalhostname" or "nslookup internalhostname" fails with split tunnel VPNs (Cisco IPSec based or IKEv2).

Also, as some have noticed, Cisco IPsec connections as well as IKEv2 connections can not be prioritized with "Set service order" unlike L2TP/IPsec which can.

Another point I'd like to bring up is that split tunnel Cisco IPSec or IKEv2 VPNs do not show any DNS servers or Search Domains in their Advanced settings even though this information does show up with "scutil --dns". L2TP/IPsec VPNs does show this information just fine.

Something has to give and Apple needs to provide some explanation/fix.


I found a workaround: your VPN DNS will still be ignored, and only 3G-dongle DNS will be used, but just adding your VPN DNS to the list under 3G interface does the trick… The main problem is that 3G connectivity manager overwrites configuration everytime you click connect, and you need connectivity manager to enable Radio on the 3G dongle… so I mixed both solutions in one:

  1. Connect to your VPN and write down your DNS (I have 2 on the list). You can check it in Network Preferences → Advanced → DNS tab. Disconnect VPN. You need to connect to VPN because DNS is assigned dynamically upon connection…

  2. Connect to your 3G and do the same: write the DNS on paper. Then disconnect 3G.

  3. Go to Network Preferences → click on 3G interface → Advanced → DNS Tab, and under DNS table (that typically will be empty as you are not connected) click on '+'. Add all the DNS servers (those from 3G first and then add VPN later). Click OK and Apply.

  4. From now on, to connect to 3G, just plug your USB and wait until you have 3G coverage (you will need to open 3G connectivity manager), but do not use the supplied connectivity manager to connect. And if it automatically connects, go to preferences and uncheck that tick. You need that manager only to turn radio on in the USB Dongle, nothing else.

    If you click on "connect" on your 3G manager, it will overwrite configuration on your 3G interface and you need to repeat step 3 again.

  5. Go to Network → Preferences and click on the 3G interface. Then click connect. It will connect to your 3G using the configured DNS servers (instead of dynamically received), that include both the "public" DNS and your VPN DNS.

  6. Connect to your VPN. It will work as expected.

Just be aware that:

  • If your VPN DNS changes, you need to change it manually. This can easily be checked under Network → VPN interface w Advanced → DNS tab since your VPN DNS is still assigned dynamically to the interface (although ignored by OS X).

  • If your 3G DNS changes (unlikely) you need to change it manually too. If something goes wrong and you cannot navigate you need to go through your 3G connectivity manager, click "Connect" and see what DNS are dynamically assigned… That will require you to go back to step 3 and reconfigure it.


I had the same issue for long time, but now I had time to find a solution that works for me. I didn't change the order of the DNS server, but I'm using the DNS server behind the VPN permanently.

  1. Connect via dial-up.

  2. Connect the VPN connection and copy the DNS server IPs and the search domain from VPN Connection → Advanced → DNS.

  3. Disconnect the VPN connection.

  4. Ping <name> or <hostname> of your VPN server and write down the IP.

  5. Disconnect the dial-up connection.

  6. Duplicate the dial-up connection (e.g. name it "3G for VPN").

  7. Enter the IPs and the search domain into the DNS tab of the dial-up connection. They will be stored and used permanently.

  8. Connect via the new dial-up connection.

  9. Now you have no access to the nameservers (because they are secured by the VPN) - you have to edit the server address of the VPN connection. Replace the host by the IP.

  10. Connect via VPN connection and you should be able to use it.

Note: In general hostnames does not change, but IPs can. So if it's not working someday, do the steps again…

Related

How to add color to GitHub's README.md file
Select all occurrences of selected word in VSCode
Get MIME type from filename extension
How do multiple clients connect simultaneously to one port, say 80, on a server? [duplicate]
Renaming the current file in Vim
PHP cURL custom headers
Git: "Corrupt loose object"
How do browser cookie domains work?
Can someone explain the dollar sign in Javascript?
SQL/mysql - Select distinct/UNIQUE but return all columns?
Understanding passport serialize deserialize
Can you use a trailing comma in a JSON object?