How to not use VPN's DNS on OS X?
September 11, 2007 6:52 AM Subscribe
When I connect to my VPN in OS X (using the built-in client), all DNS requests are sent through the VPN. How can I prevent this?
I have the checkbox "send all traffic through VPN connection" unchecked, so I can use the internet and the VPN at the same time. However, once I'm connected to the VPN, DNS goes through the VPN, which makes everything horrifically slow. I'd like to have my DNS servers remain unchanged. All the sites I access on the VPN are in my /etc/hosts, so I don't need the VPN's (very slow) DNS servers.
Is there something I can do at the command line maybe to change the DNS servers back after connecting?
I have the checkbox "send all traffic through VPN connection" unchecked, so I can use the internet and the VPN at the same time. However, once I'm connected to the VPN, DNS goes through the VPN, which makes everything horrifically slow. I'd like to have my DNS servers remain unchanged. All the sites I access on the VPN are in my /etc/hosts, so I don't need the VPN's (very slow) DNS servers.
Is there something I can do at the command line maybe to change the DNS servers back after connecting?
This is for Win2K, but it might work...
- In the VPN properties, click into the networking tab.
- Click Internet Protocol and click the Properties button.
- Click the Advanced Button
- Untick "Use default Gateway on remote network"
If that doesn't work then in this dialog (DNS tab), you can also set up the DNS servers for the particular connection.
posted by seanyboy at 7:24 AM on September 11, 2007
- In the VPN properties, click into the networking tab.
- Click Internet Protocol and click the Properties button.
- Click the Advanced Button
- Untick "Use default Gateway on remote network"
If that doesn't work then in this dialog (DNS tab), you can also set up the DNS servers for the particular connection.
posted by seanyboy at 7:24 AM on September 11, 2007
What version of OS X are you using? In 10.4 and later, you can manually specify DNS servers. Open System Preferences and click the Network item. Select your VPN connection from the "Show" menu, then enter your preferred DNS servers in the "DNS Servers" section. These should override anything that the VPN specifies.
posted by pmbuko at 7:26 AM on September 11, 2007
posted by pmbuko at 7:26 AM on September 11, 2007
Interesting question. Usually, sending DNS through the VPN is regarded as a feature, not a bug ... but in your situation I can see how it would be undesirable.
How do you have your DNS server set up in the Networking preference pane? Although I've never really checked to see how OS X decides what traffic to put through the VPN when you have the "send all traffic" option off, my guess would be that it does it by subnet. (If not by domain, which would be the logical choice, except that it's obviously not doing that since that wouldn't include DNS queries.)
Perhaps if you explicitly define a DNS server in your Network preferences, and make sure that it's one that's outside the subnet used by the VPN, OS X will use it? That would be my first try, anyway.
posted by Kadin2048 at 7:26 AM on September 11, 2007
How do you have your DNS server set up in the Networking preference pane? Although I've never really checked to see how OS X decides what traffic to put through the VPN when you have the "send all traffic" option off, my guess would be that it does it by subnet. (If not by domain, which would be the logical choice, except that it's obviously not doing that since that wouldn't include DNS queries.)
Perhaps if you explicitly define a DNS server in your Network preferences, and make sure that it's one that's outside the subnet used by the VPN, OS X will use it? That would be my first try, anyway.
posted by Kadin2048 at 7:26 AM on September 11, 2007
Also, I haven't tried it, but the solution discussed here looks promising.
posted by pmbuko at 7:30 AM on September 11, 2007
posted by pmbuko at 7:30 AM on September 11, 2007
(OS X doesn't use /etc/resolv.conf, at least recent versions. Neither is this a packet routing problem.)
Here's one way to do it: Install "dnsmasq" locally (google "Fink") and set your nameserver to use the local address (127.0.0.1). Then, set dnsmasq rules to divert certain kinds of queries to certain other nameservers.
http://www.thekelleys.org.uk/dnsmasq/doc.html
http://finkproject.org/
posted by cmiller at 7:36 AM on September 11, 2007
Here's one way to do it: Install "dnsmasq" locally (google "Fink") and set your nameserver to use the local address (127.0.0.1). Then, set dnsmasq rules to divert certain kinds of queries to certain other nameservers.
http://www.thekelleys.org.uk/dnsmasq/doc.html
http://finkproject.org/
posted by cmiller at 7:36 AM on September 11, 2007
By "set your nameserver to use the local address" I meant "set your computer network settings to point to the local address only". Do that in SysPref -> Network.
Sorry.
posted by cmiller at 7:37 AM on September 11, 2007
Sorry.
posted by cmiller at 7:37 AM on September 11, 2007
"OS X doesn't use /etc/resolv.conf, at least recent versions."
This is correct and I am in error. I just so happen to have BIND installed -- nearly everyone else won't.
posted by majick at 7:51 AM on September 11, 2007
This is correct and I am in error. I just so happen to have BIND installed -- nearly everyone else won't.
posted by majick at 7:51 AM on September 11, 2007
I'm not sure you want to do what you say you want. Understand that if you achieve what you seek -- keeping your DNS servers local to your machine -- then if your workplace has a behind-the-firewall DNS server that serves up names of internal hosts, you won't be able to use that at all. This is pretty common -- and it'll mean that you won't be able to resolve the names of many hosts you probably use regularly when you're connected to your VPN.
posted by delfuego at 8:01 PM on September 11, 2007
posted by delfuego at 8:01 PM on September 11, 2007
Response by poster: delfuego, reread the question carefully.
posted by dmd at 5:29 AM on September 12, 2007
posted by dmd at 5:29 AM on September 12, 2007
Best answer: I shouldn't give answers when I'm sleepy, sorry. Let me rephrase:
"dnsmasq" is a fake nameserver that you can install locally. In its configuration, you tell it pairs of zones+nameservers, and it proxies your requests for a record such zone to such nameserver. E.g., you might say
server=/arpa/[address of normal nameserver]
server=/business.example.com/[vpn nameserver]
server=/oc.te.ts.in-addr.arpa/[vpn nameserver]
server=[address of normal nameserver] # the default
So, looking up foo.business.example.com would be forwarded to [vpn nameserver], and blah.com would be forwarded to [address of normal nameserver].
posted by cmiller at 7:29 AM on September 12, 2007
"dnsmasq" is a fake nameserver that you can install locally. In its configuration, you tell it pairs of zones+nameservers, and it proxies your requests for a record such zone to such nameserver. E.g., you might say
server=/arpa/[address of normal nameserver]
server=/business.example.com/[vpn nameserver]
server=/oc.te.ts.in-addr.arpa/[vpn nameserver]
server=[address of normal nameserver] # the default
So, looking up foo.business.example.com would be forwarded to [vpn nameserver], and blah.com would be forwarded to [address of normal nameserver].
posted by cmiller at 7:29 AM on September 12, 2007
This thread is closed to new comments.
posted by majick at 7:23 AM on September 11, 2007