VPN app dns resolution not working in split dns-split tunneling when 8.8.8.8 is configured as a vpn dns server

the vpn dns nameservers are defined in /etc/resolver/example.com

Huh?

Is your VPN app based on a Network Extension provider? Or some sort of legacy technique?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

It does not use Network Extension provider it uses utun interface socket bsd implementation.

And one more update the issue happens only on arm devices. Not on x86. If we set 8.8.8.8 as vpn nameserver on arm devices then traffic is routed outside the tunnel for split dns domain.

OK. In that case I’m not going to be able to help you. DTS doesn’t support legacy VPN techniques, and we recommend that you instead create an NE provider.

Your original post is a good example of why we have this policy. The /etc/resolv.conf mechanism is a compatibility measure of Apple platforms. The true DNS configuration is managed by the various plug-ins within configd. NE providers use API to apply their DNS configuration, and the system manages that in a coherent way. The behaviour you get when you start modifying resolver configuration files is unspecified exactly because it’s there solely to support compatibility.

A similar situation applies to the routing table. It is also managed by configd, and if you manipulate it ‘behind the back’ of configd you’ll run into problems.

You are, of course, free to continue down this path on your own, but it’s not a road I can join your on.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Yes we are not using the Network Extension but still I am not modifiying /etc/resolv.conf file. I add split dns domains into /etc/resolver/ => in filesystem.

It is said apple consider entries in this filesystem first before resolving a domain and this entries has first priority.

For example, if I want to resolve example.com using nameserver 3.92.192.216. I make an new file to /etc/resolver/example.com and write the nameserver into example.com. when system wants to resolve example.com it first checks in this entry in filesytem if it finds a matching entry and it uses this corresponding nameserver for resolving example.com.

Then this method is broken in Apple newer system as it worked till 12.6.

I am not modifiying /etc/resolv.conf file. I add split dns domains into /etc/resolver/

Ah, sorry for the confusion here. I used /etc/resolv.conf as a shorthand for all of the file-based DNS stuff. That’s there for compatibility and it’s not something that DTS considers a supported API.

Then this method is broken in Apple newer system as it worked till 12.6.

Yeah, that’s exactly what I’m getting at here. We work hard to maintain binary compatibility for software that uses our supported APIs, but if you do unsupported stuff then you don’t benefit from that work.

You are, of course, free to file a bug about this issue, but my advice is that you switch to the NE provider API.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"