How to "append" VPN nameserver to my existing nameserver list?

[Kamzata]

I'm using Tunnelblick 8.0 (build 6300). It seems to work fine but I'd like to append the nameserver provided by the VPN connection to my local nameserver list. At the moment iTunnelblock just replaces my local nameserver list with VPN nameserver set.

How can I achieve this? 

[Tunnelblick Developer]

Why do you want to do that?

On macOS, if you have two name servers, the first one is used until there is an error. Then the second one is used until there is an error, then the third one is used, and so on. Windows used to do it differently: it would query all the name servers and use the result from the first one to respond, so having multiple name servers would sometimes result in faster Internet accesses. I don't know if that is still true

If your VPN is providing a DNS address, it is almost always advisable to use that address, and not silently start using a different one.

If you wish to specify a specific DNS which should be used (e.g. your own DNS server, Google DNS or similar), and you manually enter that address in your macOS network settings. By default Tunnelblick will respect that and not modify the name server list. There's a checkbox to allow Tunnelblick to override that and use the VPN-provided name server list.

[Kamzata]

I want to do that because I have a custom local dns and another one for a Wireguard connection which works simultaneously. 

[Tim Gahagan]

That’s not how dns works.

As said the first dns server works until the other one is “unreachable” that does not mean 

If no dns entry in this server try the other server. 

So what you need to do is work on the local dns server and add a forwarder for the other dns or the wire guard host/cname

Them the first dns server will have a forwarder so when Cleint asks for that domain it sends to the other server.

On Dec 27, 2025, at 11:29 AM, Kamzata <kam...@gmail.com> wrote:

I want to do that because I have a custom local dns and another one for a Wireguard connection which works simultaneously. 

--
You received this message because you are subscribed to the Google Groups "tunnelblick-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tunnelblick-dis...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/tunnelblick-discuss/c86c1363-b3e8-45cf-b7e0-46068bc3af83n%40googlegroups.com.

[Kamzata]

Got it. Thanks for the clarification. So, maybe can I think to a sorta of script in order to add the forwarder on the local server dns once the VPN connection is established?

[Tim Gahagan]

Script?

Just add the other a forwarder to the other server.

It won’t ever matter until you need to access that domain and the primary will say “I don’t have that but I know the server that does”

I’d honestly ai this. I hate dns. And have to switch brains to do it.

So ai is likely your friend.

Tim Gahagan

On Dec 27, 2025, at 11:43 AM, Kamzata <kam...@gmail.com> wrote:

Got it. Thanks for the clarification. So, maybe can I think to a sorta of script in order to add the forwarder on the local server dns once the VPN connection is established?

To view this discussion visit https://groups.google.com/d/msgid/tunnelblick-discuss/5a537248-2013-4133-ac94-cf3aae5d74e9n%40googlegroups.com.

[Kamzata]

Thanks for your reply. I tried but it doesn't work. I'm came up to think there's a issue in this idea: my local dns server does not have access to the VPN network so it's not able to reach the VPN dns server. Maybe should I set up a client-level dns server on every machine connected to the VPN in order to forward the dns request on the right network?

[Kamzata]

Maybe I should use a DNS forwarder like Dnsmasq in every (unix based) client...

[Tim Gahagan]

A dns forwarder should work.

But let me ask, is this for a home network? I only ask because I hav emigrated to Tailscale and I don’t have the consistent dns issues I used to. I can set a node (think old vpn server) and an end point and still get intent al and outbound access.

I used to battle this often with issues. If your not running a full boat dns server inside then you have to set that up.

Honestly Tailscale is less work and the final gain is more secure with a zero auth (every client unique and must be approved) 

Not trying to derail, but you have some work in front of you to setup a dnsmasq server and configure it to make this work. 

You could install Tailscale and test as well. 

On Dec 27, 2025, at 6:43 PM, Kamzata <kam...@gmail.com> wrote:

Maybe I should use a DNS forwarder like Dnsmasq in every (unix based) client...

To view this discussion visit https://groups.google.com/d/msgid/tunnelblick-discuss/6cc7022d-589e-49b3-90c7-092e22e41cdbn%40googlegroups.com.

[Kamzata]

It's for a home/work network. I don't know Tailscale (just heard about) but maybe I'll take a look. Usually I use Wireguard and I'm not interested in DNS resolution but now I have to connect to this foreign OpenVPN server (which I can just use and not edit) and I need DNS resolution. Thanks for your suggestion!

[Tim Gahagan]

So the vpn server is not yours or on your network? Then Tailscale is out most likely.

Tailscale uses wire guard.

Not trying to hijack a tunnelblick thread, but I’ve battled this dragon before. Moved all my OpenVPN.

On Dec 27, 2025, at 7:07 PM, Kamzata <kam...@gmail.com> wrote:

It's for a home/work network. I don't know Tailscale (just heard about) but maybe I'll take a look. Usually I use Wireguard and I'm not interested in DNS resolution but now I have to connect to this foreign OpenVPN server (which I can just use and not edit) and I need DNS resolution. Thanks for your suggestion!

To view this discussion visit https://groups.google.com/d/msgid/tunnelblick-discuss/834a329e-c49a-4013-921a-16f4e95ab862n%40googlegroups.com.

[Kamzata]

I really appreciate sharing your experience and thank you. Yes, the OpenVPN server is not in my network but I'll take a look at Tailscale client and Headscale open source server anyway.

However, I just solved by installing dnsmasq and configuring it like this:

listen-address=::1,127.0.0.1
server=192.168.79.2   # Default DNS server

server=/.mysub.domain.com/192.168.6.1   # VPN1 DNS server

server=/.othersub.domain.com/192.168.7.1  # VPN2 DNS server