How to make short (not fully qualified) hostnames work with Mountain Lion, Tunnelblick, pfSense, OpenVPN


Option 1: reconfigure pfSense

When configuring OpenVPN in pfSense, the field "DNS Default Domain" is passed to the client as the "search" domain. If that field is unchecked or left blank, OpenVPN passes "dhcp-option DOMAIN openvpn" which causes resolv.conf to look like this, which does not help:

search openvpn

Our solution was to set "DNS Default Domain" to simply a dot: ".".

Screenshot of the DNS Default Domain field set to a dot in pfSense

This causes resolv.conf to look like this, which works!

search .

I can now ping with short hostnames.

mac:~  $ ping web2
PING web2 ( 56(84) bytes of data.
64 bytes from web2 ( icmp_req=1 ttl=64 time=0.380 ms

This is an easy solution since it doesn't require each client to be reconfigured.

Option 2: reconfigure Mac OS X

I have not tried it, but it may be possible to reconfigure Apple's DNS resolver to not append search domains, causing it, I believe, to act more like Ubuntu. It appears that something changed in Lion or Mountain Lion, causing MAC OS X DNS to not work as expected.

Option 3: reconfigure OpenVPN

It appears pfSense simply passes the "DNS Default Domain" field to OpenVPN, which adds it as a push configuration option like this:

dhcp-option DOMAIN

If DOMAIN is unset, OpenVPN causes it to be set to "openvpn". This is not a pfSense issue.

IMO, it'd be nice if OpenVPN could be configured (or I could learn how to configure it) to not force DOMAIN to be set. In theory, this would cause the search domain to remain unset in resolv.conf and would allow use of short hostnames.

Author by


Updated on September 18, 2022


  • richardkmiller
    richardkmiller over 1 year

    I use Tunnelblick 3.3beta21b on Mac OS X 10.8.2 (Mountain Lion) to connect to a pfSense/OpenVPN virtual private network. When connected to the VPN, I can access machines in our datacenter. This is pfSense 2.0.1.

    Machines in the datacenter are running Ubuntu 12.04 Precise. When I'm on a machine in the datacenter, I can ping other machines with short (not fully qualified) hostnames:

    web1:~  $ ping web2
    PING web2 ( 56(84) bytes of data.
    64 bytes from web2 ( icmp_req=1 ttl=64 time=0.380 ms

    The resolv.conf file on any given Ubuntu machine in the datacenter looks like this:

    web1:~  $ cat /etc/resolv.conf 

    Unfortunately, when I'm at home connected via TunnelBlick/OpenVPN, shortnames do not work from my Mac:

    mac:~  $ ping web2
    ping: cannot resolve web2: Unknown host

    However, nslookup returns the correct IP address for "web2" and if I ping with a trailing dot, it works:

    mac:~  $ ping web2.
    PING web2 ( 56(84) bytes of data.
    64 bytes from web2 ( icmp_req=1 ttl=64 time=0.380 ms

    When connected via Tunnelblick, my Mac's resolv.conf looks like this. Note that Tunnelblick added the "search" line; it is not present when I'm disconnected from the VPN:

    # Mac OS X Notice
    # This file is not used by the host name and address resolution
    # or the DNS query routing mechanisms used by most processes on
    # this Mac OS X system.
    # This file is automatically generated.

    How can I configure Mac OS X or Pfsense/OpenVPN or Tunnelblick so I can use short hostnames from my Mac?