Comments on: How to not use VPN's DNS on OS X?

Question: How to not use VPN's DNS on OS X?

dmd — Tue, 11 Sep 2007 06:52:07 -0800

When I connect to my VPN in OS X (using the built-in client), all DNS requests are sent through the VPN. How can I prevent this?

I have the checkbox "send all traffic through VPN connection" unchecked, so I can use the internet and the VPN at the same time. However, once I'm connected to the VPN, DNS goes through the VPN, which makes everything horrifically slow. I'd like to have my DNS servers remain unchanged. All the sites I access on the VPN are in my /etc/hosts, so I don't need the VPN's (very slow) DNS servers.

Is there something I can do at the command line maybe to change the DNS servers back after connecting?

By: majick

majick — Tue, 11 Sep 2007 07:23:29 -0800

Edit /etc/resolv.conf

By: seanyboy

seanyboy — Tue, 11 Sep 2007 07:24:19 -0800

This is for Win2K, but it might work...

- In the VPN properties, click into the networking tab.
- Click Internet Protocol and click the Properties button.
- Click the Advanced Button
- Untick "Use default Gateway on remote network"

If that doesn't work then in this dialog (DNS tab), you can also set up the DNS servers for the particular connection.

By: seanyboy

seanyboy — Tue, 11 Sep 2007 07:24:53 -0800

OSX. (My bad - Sorry.)

By: pmbuko

pmbuko — Tue, 11 Sep 2007 07:26:03 -0800

What version of OS X are you using? In 10.4 and later, you can manually specify DNS servers. Open System Preferences and click the Network item. Select your VPN connection from the "Show" menu, then enter your preferred DNS servers in the "DNS Servers" section. These should override anything that the VPN specifies.

By: Kadin2048

Kadin2048 — Tue, 11 Sep 2007 07:26:32 -0800

Interesting question. Usually, sending DNS through the VPN is regarded as a feature, not a bug ... but in your situation I can see how it would be undesirable.

How do you have your DNS server set up in the Networking preference pane? Although I've never really checked to see how OS X decides what traffic to put through the VPN when you have the "send all traffic" option off, my guess would be that it does it by subnet. (If not by domain, which would be the logical choice, except that it's obviously not doing that since that wouldn't include DNS queries.)

Perhaps if you explicitly define a DNS server in your Network preferences, and make sure that it's one that's outside the subnet used by the VPN, OS X will use it? That would be my first try, anyway.

By: pmbuko

pmbuko — Tue, 11 Sep 2007 07:30:28 -0800

Also, I haven't tried it, but the solution discussed here looks promising.

By: cmiller

cmiller — Tue, 11 Sep 2007 07:36:13 -0800

(OS X doesn't use /etc/resolv.conf, at least recent versions. Neither is this a packet routing problem.)

Here's one way to do it: Install "dnsmasq" locally (google "Fink") and set your nameserver to use the local address (127.0.0.1). Then, set dnsmasq rules to divert certain kinds of queries to certain other nameservers.

http://www.thekelleys.org.uk/dnsmasq/doc.html
http://finkproject.org/

By: cmiller

cmiller — Tue, 11 Sep 2007 07:37:26 -0800

By "set your nameserver to use the local address" I meant "set your computer network settings to point to the local address only". Do that in SysPref -> Network.

Sorry.

By: majick

majick — Tue, 11 Sep 2007 07:51:21 -0800

"OS X doesn't use /etc/resolv.conf, at least recent versions."

This is correct and I am in error. I just so happen to have BIND installed -- nearly everyone else won't.

By: delfuego

delfuego — Tue, 11 Sep 2007 20:01:03 -0800

I'm not sure you want to do what you say you want. Understand that if you achieve what you seek -- keeping your DNS servers local to your machine -- then if your workplace has a behind-the-firewall DNS server that serves up names of internal hosts, you won't be able to use that at all. This is pretty common -- and it'll mean that you won't be able to resolve the names of many hosts you probably use regularly when you're connected to your VPN.

By: dmd

dmd — Wed, 12 Sep 2007 05:29:08 -0800

delfuego, reread the question carefully.

By: cmiller

cmiller — Wed, 12 Sep 2007 07:29:24 -0800

I shouldn't give answers when I'm sleepy, sorry. Let me rephrase:

"dnsmasq" is a fake nameserver that you can install locally. In its configuration, you tell it pairs of zones+nameservers, and it proxies your requests for a record such zone to such nameserver. E.g., you might say

server=/arpa/[address of normal nameserver]
server=/business.example.com/[vpn nameserver]
server=/oc.te.ts.in-addr.arpa/[vpn nameserver]
server=[address of normal nameserver] # the default

So, looking up foo.business.example.com would be forwarded to [vpn nameserver], and blah.com would be forwarded to [address of normal nameserver].