VPN / DNS Issues With macOS Ventura

Because some people don't use VPN for privacy reasons, but because they access a company network through it, and probably only for specific addresses, so you want to use the public DNS for everything else.

f1r3s4l3 wrote:

Because some people don't use VPN for privacy reasons, but because they access a company network through it, and probably only for specific addresses, so you want to use the public DNS for everything else.

But this is a user-to-user support forum for Apple’s consumer products. No one here knows anything about MDM, Jamf, or anything enterprise related. Enterprise users have their own dedicated, paid support staff. If they can’t resolve the issue, they can just call their Apple reps on the phone.

If there is a problem, you’ve found the best place to hide from the people whose job it is to fix those problems for you.

f1r3s4l3 wrote:

Apple should be grateful that we're bringing this to the public and thus helping to improve their products, but if they prefer to not talk about any potential issues, well...

Why should Apple be grateful when people experience problems and then don't report them? As I said above, this is a user-to-user support forum for Apple’s consumer products. Apple isn't here.

You are describing a problem that sounds like the opposite of what you describe. If I have a VPN connected and my DNS requests go out to an open DNS server, that's a critical, mission-failure of the VPN. However, I'm not even going to bother testing this because I don't want Google tracking my DNS requests, whether I'm using a VPN or not.

I find it quite funny that every time someone finds a bug or something like that in an Apple product, someone with thousands of points jumps in to defend Apple.

There is lots of misinformation being repeated on the internet. The people here are focused on facts and solving problems. If there is a problem with an Apple product, we will say so and offer workarounds. But in the vast majority of cases, the problem is with some 3rd party product.

On 13.1 the current workaround seems to be to not use Cloudflare 1.1.1.1/1.0.0.1 as a DNS secondary which I was doing on my home network as a backup to my single home dns server (using Cloudflare family now). This was noted as a VPN issue at the start of this thread but is not limited to vpn users, which seems to have been missed. Reddit threads were started in regards to Pi-hole use. Anyway I will endeavor to find an answer to satisfy my curiosity. I will try apple support again (got cut off last time) and I have tried wading through mDNSResponder source code but it is quite complex. Hat tip to f1r3s4l3.

I've just stumbled on this post as our internal DNS does not want to work any more with Ventura, we have always had problems, but now the normal fixes don't help... I'm glad I found this as I know now we're not alone, I'm going to look in to raising this with Apple as we should have a rep, if they ever give me anything useful back I will try to add it here (but I won't hold my breath)

I didn't manage to raise this with Apple as I was able to fix the issue, I had to remove the public DNS server from those advertised by the VPN server, once that was removed and I only had our 2 private DNS resolvers listed the problems seem to have gone away

In that case you just confirmed the "workaround". The issue we're all facing is exactly that, as soon as you have a non-private DNS in your config, you hit that bug (if I'm allowed to call it that).

So, good for you, you don't really seem to need that, but for others who have a reason to configure their network like that, we're pretty much lost.

Yes I just wanted to confirm that the fix appears to have worked for us... But also worth noting, that when I was looking in to this, a Windows user (rare in our ORG) was also having basically the same issues.

We had hoped to design our VPN DNS servers to have some resiliency in case of outage, which is why we had the 1.1.1.1 there as a final destination, but as we saw this caused various issues with the MacOS network stack over the years, and with Ventura at least, it appears to be completely broken

I just hope the scaling group never fails to launch the DNS servers

I agree, the statement from XDM does not apply to my case, I was unable to curl an internal URL as it would return unable to find host, but if I used nslookup or dig, the response came back from the internal DNS servers correctly

I'm not sure what Private Relay is, but since I don't even use safari, I wouldn't have noticed it failing

In my case, after connecting to vpn through tunnelbrick, ssh won't resolve host an internal host.

My workaround is to switch my current wifi to another one (I had two wifi networks at home), that would seem to "trigger" something internally in osx, while leaving my vpn connected, then my ssh would resolve host again! Note that turning wifi off and on doesn't work, but switching one would "fix" it. Strange.

I noticed the same behaviour previously, although I don't currently use tunnelblick, but if restarting wifi didn't work, I advised people to switch to their mobile hotspot and to connect to the VPN to confirm whether it works before switching back... but when we upgraded to Ventura, even this didn't help

And one more piece of information: I've just tried contacting Apple support. As soon as they heard the problem is only visible when connected to the VPN, they said it's not something they can help me with; to quote them: "if you disconnect from the VPN and everything works fine, there's nothing we can do for you".

Way to go Apple!

Advisor suggested contacting my VPN provider (which is pointless because tunnel works great and older MacOS or any other OSes work great) and trying my luck on developer.apple.com

I guess I'll do the latter on the off chance.

It is not just vpn though. I test on my home network with wifi, no vpn. Use my dnsmasq DNS server as primary, then 1.1.1.1 as secondary and cannot ping local names. Lookup is fine. Check /etc/resolv.conf to make sure setting took. Since 13.1 and now 13.2 any other tested secondary works. I test with 1.1.1.2/3, Google, Quad9 as noted in a previous post. So is quick to test by setting the DNS for the active network connection. For my VPN's at work I changed all the secondaries to 1.1.1.2. I'll try apple support again at some point.

weakcamelsm wrote:

And one more piece of information: I've just tried contacting Apple support. As soon as they heard the problem is only visible when connected to the VPN, they said it's not something they can help me with; to quote them: "if you disconnect from the VPN and everything works fine, there's nothing we can do for you".

Then you can ask them why it works fine in macOS Monterey but not in macOS Ventura (as of the current version)?

I just tried yesterday with Monterey 12.6.3 and it was fine, but in Venture 13.2 it's not – the main DNS that gets propagated when connected to the VPN isn't used despite it being listed (when the VPN is connected) as a DNS server to use in:

System Settings -> VPN -> Your Connection -> info-button (i with a circle) -> DNS -> DNS Servers

If I manually add the DNS I want to use (+ button) it works fine. This this isn't needed in macOS Monterey where it works as expected.

> Then you can ask them why it works fine in macOS Monterey but not in macOS Ventura (as of the current version)?

Oh, I did of course. And mentioned that Linux and Windows have no issues whatsoever either. They were adamant that if it's anything to do with VPN - they just don't care in the slightest, it's not their problem.