Setting up split DNS on mac OS

[Aditya Sharma]

Hi,

I have the latest build of tunnelblick on mac. I will describe my setup for easy understanding:

I have 3 OpenVPN servers, each with a separate encryption domain/subnet behind them. Also, they have separate domain names and DNS servers as well that I push through the servers to the clients. I am able to connect to the 3 servers  simultaneously and also able to connect to the remote servers behind the VPN servers.

THE PROBLEM:

The 3 VPN servers have following properties(subnets behind them, domain, DNS server):

1. 10.0.0.0  a.com 10.0.0.2

2. 10.0.1.0 b.com 10.0.1.2

3. 10.0.2.0 c.com 10.0.2.2

My problem is, when I connect to servers, lets say in the order 1, 2 then 3, the mac DNS entries are overwritten rather than getting appended. This makes only the last connected VPN resolve DNS queries. How to make sure that the DNS queries are:

1. Appended instead of overwritten,

2. If the above point is solved, will it make sure the domains will be linked to their respective DNS servers? 

I have read about split DNS but don't know how to go about it in mac. It works fine on linux though.Apologies for the long post, didn't want to leave any doubts. 

[Tunnelblick developer]

Tunnelblick doesn't do split DNS.

To append the DNS servers instead of overwriting them, you'd have to write your own modified versions of Tunnelblick's client.up.tunnelblick.sh and client.down.tunnelblick.sh scripts and use them.

However, that won't solve the problem because on macOS (as opposed to Windows) if you have multiple nameservers only the first is queried unless it fails to respond, in which case the second is used, etc. And there is a long timeout to determine if a nameserver is responding -- tens of seconds.

So you also need to implement "Split DNS", which involves manipulating folders and files in macOS so that all a.com queries go to 10.0.0.2, b.com queries go to 10.0.1.2, etc.

Not for the faint of heart, but it can be done.

[Gordon Ross]

I had a similar problem where tunnelblick was _replacing_ the default resolver configuration
(DOMAIN=something.local, DNS=192.168.1.1) instead of adding a domain-specific resolver.

That change means I could not get to my printer, backup server, etc. by their names.

I found a work-around after the suggestion to search the web for:
  mac domain-specific dns configuration

and found this helpful post:

  https://medium.com/@jamieeduncan/i-recently-moved-to-a-macbook-for-my-primary-work-laptop-7c704dbaff59

Following the approach suggested there, I:

   created the directory /etc/resolver

   created the file /etc/resolver/myvpn

with contents like:
  search domain1.myvpn.com domain2.myvpn.com

  nameserver 10.1.1.1

  nameserver 10.1.1.2

This leaves the default resolver configuration as it was

(which I understand is the preferred approach for this on mac)

and just adds a domain-specific resolver for the domains.

Now it turns out all of those domains and nameservers are given to the tunnelblick client during connect, so if I had more time and familiarity with the "up" and "down" scripts, I might be tempted to try to write a pair of up/down scripts that create /etc/resolver/something. with the domains and nameservers it gets from the push dhcp-option(s).  Alas, not today...

Hope this helps the next poor soul who wondered why they couldn't get to things on their LAN by name.