Apple - Force DNS resolution to happen outside VPN

I have a similar situation where I have to use a very heavy-handed captive portal Wi-Fi connection with a very heavy-handed, very creepy virtual firewall. Not only does snoop on secure connections, it impersonates DNS server IPs, using DPI (when it detects the request).

The only thing that works for me is to go over the top of the VPN/firewall rather than try to sneak under it, using dnscrypt-proxy using only DNS-over-HTTPS, as it can detect the dnscrypt protocol. Right now, its not aware of DNS-over-HTTPS at all.

I implement it using a LaunchAgent that watches /etc/resolve.conf for changes, and when it detects a change, it restarts dnscrypt-proxy, then runs networksetup -setdnsservers Wi-Fi 127.0.0.1.

Aside: I've been using Quad9 for a while now, and much prefer it to Google and CloudFlare.

Edit: After playing a bit more with this, I'm noticing that (somehow, I haven't even figured out where the traffic is to/from), IPv6 addresses are somehow resolved with ::1 as a DNS server, even if there are no other DNS servers set. So probably better to just disable IPv6 if you can.

Edit 2:

Yeah, I think being able to split out that route might be just too much to do with the newer system-level VPN implementation; I think DNS proxying is probably your best bet. It might be possible to remove ipsec0 as the default route and then add it back for a restricted IP range... but every time I try this (with IKEv2, not AnyConnect, but I'm assuming they're using the same API) it just... stops.

As for the residual traffic, maybe its Rendezvous? sudo killall -HUP mDNSResponder; sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist?

Also, perhaps you might be able to use an app like Shimo? It's available with Setapp! I don't know exactly how AnyConnect works, but it says it supports it, and it has configuration options available that are exactly what you are looking for for other protocols, including IKE, so... maybe?

Shimo


The short answer is you likely cannot make this change.

This is a very typical situation where the managed settings disallow a split VPN tunnel situation. Literally, when you connect to the VPN gateway - it ensures you can no longer reach any network destination except for the DNS and settings that are on the other end network of where the VPN terminates.

To fix this, you need to:

  • change your VPN configuration to allow a split tunnel - possibly needing the network administrators to bless this change / make it effective.
  • Not engage the VPN at all
  • Set up a virtual machine so that you can maintain control of your OS and only allow the guest OS to connect to the VPN
  • convince the network admin to change the DNS at the other end to meet your needs (secondary a DNS setting you have before you connect to VPN, change the forwarders, etc..)
  • use a different client or client setting to avoid the profile you run in Cisco (assuming the cisco won't let you change the configuration) - Force DNS server ip while connected to VPN

(this is a common question that never gets an answer other than - don't use VPN, but I hope there is a way for you)

  • How to override DNS resolver ordering while connected to L2TP VPN
  • yosemite DNS resolution woes over IPSec tunnels / VPN
  • Force DNS server ip while connected to VPN
  • Mac OS X Mountain Lion - DNS resolving uses wrong order on VPN via dial-up connection

Tags:

Macos

Dns

Vpn

Network

Recent Posts