Re-order or "prioritize" DNS server over Cisco AnyConnect VPN on Mac

networking mac vpn dns cisco-anyconnect

9,636

I realize this doesn't exactly answer your question about how to fix it on anyconnect, but I was able to achieve the result you're looking for by using openconnect. If you know the addresses/ranges you need to route through VPN you can add those static routes manually to go through the VPN interface, including the DNS servers @ work. Then, once you have your routes set up, you can add the work DNS server as non-primary option in the DNS settings for your main interface. The secondary/tertiary/quarternary/etc. DNS server at work only gets queried if the results aren't found on primary DNS. If you've set up the routes properly then the DNS query will automatically get routed through VPN, as well as the rest of the work-bound traffic.

This can get you into trouble though if you're using any applications that have split DNS, so be aware of that going in.

I suppose you *could do it with anyconnect by deleting the default route (the one set by anyconnect, not the default route for your network adapter1) or changing DNS server settings on VPN connection, but the problem is anyconnect will change your settings every time you reconnect. With openconnect I was able to set up persistent routes through the VPN adapter that worked whenever the VPN was up.

If you need more information, let me know and I can edit the answer.

9,636

Craig Otis

Updated on September 18, 2022

Comments

Craig Otis almost 2 years

I have Cisco AnyConnect on my Mac (10.13.6), and the DNS resolution works properly for our internal hostnames. The output of scutil looks fine:

2015MBP:~ craig$ scutil --dns
DNS configuration

resolver #1
  search domain[0] : dns1.mycompany.com
  search domain[1] : dns2.mycompany.com
  search domain[2] : hsd1.ma.comcast.net
  nameserver[0] : 10.xx.xx.xx (<-- AN INTERNAL COMPANY IP)
  nameserver[1] : 10.xx.xx.xx (<-- AN INTERNAL COMPANY IP)
  flags    : Request A records, Request AAAA records
  reach    : 0x00000002 (Reachable)
  order    : 1

resolver #2
  domain   : local
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300000

resolver #3
  domain   : 254.169.in-addr.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300200

resolver #4
  domain   : 8.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300400

resolver #5
  domain   : 9.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300600

resolver #6
  domain   : a.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300800

resolver #7
  domain   : b.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 301000

DNS configuration (for scoped queries)

resolver #1
  search domain[0] : hsd1.ma.comcast.net
  nameserver[0] : 192.168.1.1
  if_index : 5 (en0)
  flags    : Scoped, Request A records, Request AAAA records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

However, I notice that it's using the company DNS for things that it doesn't need to:

2015MBP:~ craig$ nslookup apple.com
Server:         10.xx.xx.xx.   (<-- SAME COMPANY IP FROM ABOVE)
Address:        10.xx.xx.xx#53

Non-authoritative answer:
Name:   apple.com
Address: 17.178.96.59
Name:   apple.com
Address: 17.142.160.59
Name:   apple.com
Address: 17.172.224.47

Is there a way to tell macOS to prioritize my ISP for hostname resolution, and only to fallback to the VPN DNS for lookups that fail the first time?