VPN / DNS Issues With macOS Ventura

Hi,

I have been having this problem also but I just solved it. I actually only joined to post the solution

Indeed the /etc/resolv.conf is over-written props to the user who pointed that out on page 3). For me it was overwritten with an internal 10.x address so obviously DNS was failing.

What is causing the overwrite is after upgrading apple turns on by default limit ip tracking.

01) Go to settings

02) Go to networks

03) Click details next to the network name In my case my wireless

04) Turn off limit ip tracking

05) Try your vpn again

That one thing fixed the automatic overwriting of the conf file.

I work in cloud security arch and while I am a big believer in secure defaults it is obnoxious to roll something like that out breaking people's vpns without some kind of warning.

Good luck to everyone!

I found this to be the case also. I configure the vpn to hand out our internal DNS as primary, then 1.1.1.1 as secondary. If I remove the secondary then DNS lookups work correctly. Even on my home wifi where I have an internal DNS server for my home network, if I put a secondary of 1.1.1.1 then the dns lookup will ignore my primary DNS and use 1.1.1.1 for lookup.

Using host and dig returns the correct IP address when the secondary DNS is present. But comments I found indicate that host and dig do not resolve the same as Mac applications, so ping and others only resolve correctly if the secondary is removed. This appears to be a bug with Ventura DNS resolution, or it is by design and I have not found the setting that would allow for the primary to be used when a secondary (or more) is present. Still searching for the answer... but a work around is to present only the internal DNS servers to your VPN clients.

leon_is_awesome wrote:

Hi,

I have been having this problem also but I just solved it. I actually only joined to post the solution

Indeed the /etc/resolv.conf is over-written props to the user who pointed that out on page 3). For me it was overwritten with an internal 10.x address so obviously DNS was failing.

What is causing the overwrite is after upgrading apple turns on by default limit ip tracking.

01) Go to settings

02) Go to networks

03) Click details next to the network name In my case my wireless

04) Turn off limit ip tracking

05) Try your vpn again

That one thing fixed the automatic overwriting of the conf file.

I work in cloud security arch and while I am a big believer in secure defaults it is obnoxious to roll something like that out breaking people's vpns without some kind of warning.

Good luck to everyone!

Hi Leon,

Do you know of a bash script (if there is one) that we can use to push and turn off limit ip tracking? In our case we were not using a VPN as we were testing in office.

I am experiencing the same issue on all our company MacBook's and even some of our iPad's that have updated to Ventura and iPad OS 16. From our internal DHCP we issue 2 DNS servers (1. Internal DNS, 2. 8.8.8.8). Any time someone would try to contact an internal URL/Intranet site it would not use our internal DNS server to resolve the name. As soon as I remove the 8.8.8.8 from the DNS settings and leave just our internal DNS, it immediately fixes itself. I have found that if I replace the 8.8.8.8 with 1.1.1.1 or 208.67.222.222 (OpenDNS) it immediately fixes the issue, and I can resolve internal DNS as expected again. Seems like there is a bug with have 2 DNS servers and 8.8.8.8 as the secondary. Though I have been reading about 1.1.1.1 not working for people also. Apple really needs to fix this issue! I have had numerous users with useless computers for the last couple days while we try to fix this issue. Hopefully this helps someone get some machines back to functioning somewhat normally.

weakcamelsm wrote:

And one more piece of information: I've just tried contacting Apple support. As soon as they heard the problem is only visible when connected to the VPN, they said it's not something they can help me with; to quote them: "if you disconnect from the VPN and everything works fine, there's nothing we can do for you".

Then you can ask them why it works fine in macOS Monterey but not in macOS Ventura (as of the current version)?

I just tried yesterday with Monterey 12.6.3 and it was fine, but in Venture 13.2 it's not – the main DNS that gets propagated when connected to the VPN isn't used despite it being listed (when the VPN is connected) as a DNS server to use in:

System Settings -> VPN -> Your Connection -> info-button (i with a circle) -> DNS -> DNS Servers

If I manually add the DNS I want to use (+ button) it works fine. This this isn't needed in macOS Monterey where it works as expected.

"Turn off limit ip tracking" didn't make a difference for mer when connected via my work VPN which gives out internal.dns.server and Google's 8.8.8.8 via DHCP when connecting to the VPN. None of the DNS names configured for the internal DNS server resolves. If I (since I'm an admin) change so that when connected via the VPN only the internal DNS is given out the custom DNS names resolves fine.

So, it's when having more than one DNS problems start to happen, at least for me.

I can confirm Private Relay is at play. DNS resolution would fail on private DNS accessed through VPN, ie internal business web sites. Turned off Private Relay, reconnected VPN, DNS success.

I have this problem too. In my case I am using an own internal DNS-Server which also provides certain domain names only for internal use. Until last week everything worked, today suddenly all DNS-Entries which do not exist externally do not work anymore until I remove the second DNS entry, in my case also 1.1.1.1.

But it is quiet strange, using 1.1.1.1 as second entry:

• nslookup makes the right resolution.
• ping is working.
• curl is not working.
• RDP is not woking using domain name.

Florian

Hi all, I had the same problem. We have internal dns servers in the company. And even when I connected, the company dns records didn't work...

However, I have come to one thing. I added "DNS Suffix" to the VPN connection settings on Mac OS and everything started working right away.

Hopefully this information will help someone else.

It is not just vpn though. I test on my home network with wifi, no vpn. Use my dnsmasq DNS server as primary, then 1.1.1.1 as secondary and cannot ping local names. Lookup is fine. Check /etc/resolv.conf to make sure setting took. Since 13.1 and now 13.2 any other tested secondary works. I test with 1.1.1.2/3, Google, Quad9 as noted in a previous post. So is quick to test by setting the DNS for the active network connection. For my VPN's at work I changed all the secondaries to 1.1.1.2. I'll try apple support again at some point.

Now that Mac OS 14 has been released: Was it fixed? With 13.6.1 it is still not working.

For me I had to use the internal DNS server as the DNS on the Wifi connection, as the TUN connection would have the correct DNS servers, but still the system would only query the Wifi DNS server only, instead of using the VPN one's instead.

Thanks a lot :)

had a ton of vpn and internet issues in general on ventura -- turns out i unintentionally had iCloud private relay enabled. disabling this sorted everything out.

Yes I just wanted to confirm that the fix appears to have worked for us... But also worth noting, that when I was looking in to this, a Windows user (rare in our ORG) was also having basically the same issues.

We had hoped to design our VPN DNS servers to have some resiliency in case of outage, which is why we had the 1.1.1.1 there as a final destination, but as we saw this caused various issues with the MacOS network stack over the years, and with Ventura at least, it appears to be completely broken

I just hope the scaling group never fails to launch the DNS servers

What I have shown was that for some reason Safari will use the custom (internal) DNS we use every other time the page is loaded.

This is what our devices at work get DNS wise via DHCP:

internal.dns.server

8.8.8.8

4.4.4.4

A web site directed to by the internal DNS loads fine in Safari on the first attempt, but if I reload the page it fails to load if I reload again it loads, and on.

This is what caught some attention.

Also mentioned that if I manually add internal.dns.server as the DNS server for the network interface in use, i.e. so it’s the only DNS server in the list, then the internal web page loads in Safari every time.

After several sleep/wake-cycles I can confirm that after removing 8.8.8.8 from the DNS servers in the network settings, the issue is gone.