Re-order or "prioritize" DNS server over Cisco AnyConnect VPN on Mac
I realize this doesn't exactly answer your question about how to fix it on anyconnect, but I was able to achieve the result you're looking for by using openconnect. If you know the addresses/ranges you need to route through VPN you can add those static routes manually to go through the VPN interface, including the DNS servers @ work. Then, once you have your routes set up, you can add the work DNS server as non-primary option in the DNS settings for your main interface. The secondary/tertiary/quarternary/etc. DNS server at work only gets queried if the results aren't found on primary DNS. If you've set up the routes properly then the DNS query will automatically get routed through VPN, as well as the rest of the work-bound traffic.
This can get you into trouble though if you're using any applications that have split DNS, so be aware of that going in.
I suppose you *could do it with anyconnect by deleting the default route (the one set by anyconnect, not the default route for your network adapter1) or changing DNS server settings on VPN connection, but the problem is anyconnect will change your settings every time you reconnect. With openconnect I was able to set up persistent routes through the VPN adapter that worked whenever the VPN was up.
If you need more information, let me know and I can edit the answer.
Related videos on Youtube
Craig Otis
Updated on September 18, 2022Comments
-
Craig Otis almost 2 years
I have Cisco AnyConnect on my Mac (10.13.6), and the DNS resolution works properly for our internal hostnames. The output of
scutil
looks fine:2015MBP:~ craig$ scutil --dns DNS configuration resolver #1 search domain[0] : dns1.mycompany.com search domain[1] : dns2.mycompany.com search domain[2] : hsd1.ma.comcast.net nameserver[0] : 10.xx.xx.xx (<-- AN INTERNAL COMPANY IP) nameserver[1] : 10.xx.xx.xx (<-- AN INTERNAL COMPANY IP) flags : Request A records, Request AAAA records reach : 0x00000002 (Reachable) order : 1 resolver #2 domain : local options : mdns timeout : 5 flags : Request A records, Request AAAA records reach : 0x00000000 (Not Reachable) order : 300000 resolver #3 domain : 254.169.in-addr.arpa options : mdns timeout : 5 flags : Request A records, Request AAAA records reach : 0x00000000 (Not Reachable) order : 300200 resolver #4 domain : 8.e.f.ip6.arpa options : mdns timeout : 5 flags : Request A records, Request AAAA records reach : 0x00000000 (Not Reachable) order : 300400 resolver #5 domain : 9.e.f.ip6.arpa options : mdns timeout : 5 flags : Request A records, Request AAAA records reach : 0x00000000 (Not Reachable) order : 300600 resolver #6 domain : a.e.f.ip6.arpa options : mdns timeout : 5 flags : Request A records, Request AAAA records reach : 0x00000000 (Not Reachable) order : 300800 resolver #7 domain : b.e.f.ip6.arpa options : mdns timeout : 5 flags : Request A records, Request AAAA records reach : 0x00000000 (Not Reachable) order : 301000 DNS configuration (for scoped queries) resolver #1 search domain[0] : hsd1.ma.comcast.net nameserver[0] : 192.168.1.1 if_index : 5 (en0) flags : Scoped, Request A records, Request AAAA records reach : 0x00020002 (Reachable,Directly Reachable Address)
However, I notice that it's using the company DNS for things that it doesn't need to:
2015MBP:~ craig$ nslookup apple.com Server: 10.xx.xx.xx. (<-- SAME COMPANY IP FROM ABOVE) Address: 10.xx.xx.xx#53 Non-authoritative answer: Name: apple.com Address: 17.178.96.59 Name: apple.com Address: 17.142.160.59 Name: apple.com Address: 17.172.224.47
Is there a way to tell macOS to prioritize my ISP for hostname resolution, and only to fallback to the VPN DNS for lookups that fail the first time?