How to Fix Hostname Resolution Issues When Using VPN on Mac OS X While Maintaining Internet Access


2 views

When connecting to corporate VPNs on macOS, users often face a peculiar dilemma: either get proper hostname resolution at the cost of losing internet access, or maintain internet connectivity while being unable to resolve internal network resources. This stems from how macOS handles network interfaces and DNS resolution during VPN sessions.

The key symptoms manifest as:

$ ping internal-host
ping: cannot resolve internal-host: Unknown host

Yet the VPN connection itself shows as active in System Preferences. This indicates that while the tunnel is established, DNS resolution isn't properly configured for the VPN network.

Several factors contribute to this behavior:

  • macOS's network interface priority system
  • Split-tunnel VPN configuration
  • DNS server assignment methods

Option 1: Manual Route Configuration

For advanced users who need granular control:

sudo route -n add -net 192.168.0.0/16 192.168.7.117
sudo networksetup -setdnsservers "VPN" 192.168.10.16
sudo dscacheutil -flushcache

Option 2: DNS Configuration via scutil

A more elegant approach using macOS's system configuration utility:

sudo scutil
> d.init
> d.add ServerAddresses * 192.168.10.16 8.8.8.8
> d.add SupplementalMatchDomains * universe.mycompany
> set State:/Network/Service/com.company.vpn/DNS
> quit

Option 3: Permanent Solution via Configuration Profile

For enterprise environments, create a mobileconfig file:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>DNS</key>
            <dict>
                <key>ServerAddresses</key>
                <array>
                    <string>192.168.10.16</string>
                </array>
                <key>SupplementalMatchDomains</key>
                <array>
                    <string>universe.mycompany</string>
                </array>
            </dict>
            <key>PayloadIdentifier</key>
            <string>com.company.vpn.dns</string>
            <key>PayloadType</key>
            <string>com.apple.dnsSettings.managed</string>
            <key>PayloadUUID</key>
            <string>C8CE1552-6F27-44DF-8A53-7B7E3544CAA5</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
    </array>
    <key>PayloadDisplayName</key>
    <string>Corporate VPN DNS</string>
    <key>PayloadIdentifier</key>
    <string>com.company.vpn.dns.profile</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>8416C9A0-6D2B-4C1B-9434-8E7A63E6F073</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>

After implementing any solution, verify with:

scutil --dns | grep -A10 "universe.mycompany"
dig internal-host.universe.mycompany @192.168.10.16
traceroute -n 192.168.11.56

For persistent issues, examine:

  • Network interface binding order with networksetup -listnetworkserviceorder
  • Active DNS configuration with scutil --dns
  • Packet routing with netstat -rn

Many Mac OS X users encounter this frustrating scenario: Your VPN shows "connected" status, but hostname resolution fails for internal company resources while simultaneously breaking internet access when forcing all traffic through the VPN. Here's how to achieve proper split tunneling.

First, let's verify the symptoms:

# Failed host resolution
$ ping devserver01
ping: cannot resolve devserver01: Unknown host

# Working IP connectivity
$ ping 192.168.7.218
PING 192.168.7.218 (192.168.7.218): 56 data bytes
64 bytes from 192.168.7.218: icmp_seq=0 ttl=64 time=2.348 ms

The solution requires proper DNS configuration through either:

# Method 1: Network preferences GUI
1. Go to System Preferences → Network
2. Select your VPN connection
3. Click Advanced → DNS
4. Add company DNS servers (e.g., 192.168.10.16)
5. Add search domains (e.g., "corp.company.com")

Or programmatically via scutil:

# Method 2: Terminal configuration
sudo scutil
> d.init
> d.add ServerAddresses * 192.168.10.16 8.8.8.8
> d.add SearchDomains * "corp.company.com"
> set State:/Network/Service/com.company.vpn/DNS
> quit

For precise traffic routing without losing internet access:

# Add specific routes for corporate networks
sudo route -n add -net 192.168.0.0/16 192.168.7.1

# Verify routing table
netstat -rn | grep 192.168

Create a launchd plist to maintain routes:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.user.vpnroutes</string>
    <key>ProgramArguments</key>
    <array>
        <string>/sbin/route</string>
        <string>add</string>
        <string>-net</string>
        <string>192.168.0.0/16</string>
        <string>192.168.7.1</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
</dict>
</plist>

Essential diagnostic tools:

# Check DNS resolution
dscacheutil -q host -a name devserver01.corp.company.com

# Verify VPN interface
ifconfig | grep -A 3 ppp

# Test specific DNS server
dig @192.168.10.16 devserver01.corp.company.com