VPN / DNS Issues With macOS Ventura

I just tried upgrade to 13.2 Ventura. Sadly, no improvement at all - standard tooling still doesn't resolve addresses from the internal DNS (despite nslookup returning correct IPs).

Aha, interesting! Let me know how it goes. I can at least say that there is no problem like this with Jamf and Monterey.

I'm not using JAMF and still have this issue.

I'm encountering the issue in 13.2, so I don't think it has been completely fixed.

No, it's not been fixed. I'm on 13.2.1 and still facing the same issue. Even my previous workaround of overriding resolver in /etc/resolver/<domain> config stopped working.

Just upgraded to 13.3. Issue still persists, sadly.

Very disappointed with Apple's attitude.

Yes, it's sad. I'm hoping for the 13.4 release. Have an open ticket with Apple and have provided some info and also got a response back, so we'll see what goes during the beta testing...

What was Apple's response? Are they aware of the issue? Did they say they were planning on addressing it?

I spoke to Apple per our Enterprise Support Agreement, and they said they were not aware of an issue but they are looking into it now.

The same problem, macOS 13.5, no one checked by chance, maybe they fixed it in Sonoma?

I am still having the same issue on Sonoma.

Sonoma still have this issue

On 13.1 the current workaround seems to be to not use Cloudflare 1.1.1.1/1.0.0.1 as a DNS secondary which I was doing on my home network as a backup to my single home dns server (using Cloudflare family now). This was noted as a VPN issue at the start of this thread but is not limited to vpn users, which seems to have been missed. Reddit threads were started in regards to Pi-hole use. Anyway I will endeavor to find an answer to satisfy my curiosity. I will try apple support again (got cut off last time) and I have tried wading through mDNSResponder source code but it is quite complex. Hat tip to f1r3s4l3.

Here's a potential workaround I have found, tested on 13.3, unfortunately this wouldn't necessarily work at a public place but hopefully helps someone.

I recently discovered the bug its triggered when the DNS assigned to the interface providing internet access has a Public DNS . Meaning the interface gets a public address for its DNS via DHCP or statically . However if you have an internal DNS the problem goes away.

For example, say im at home and my ISP router gives my laptop the following DHCP settings

IP 192.168.100.101

Subnet 255.255.255.0

Gateway 192.168.100.1

DNS 75.75.75.75 <-- Public DNS

When I connect to my work VPN I will not be able to properly resolve work internal names.

nslookup will show the correct response but other applications won't including ping, trace route, safari an others.

However if your router supports DNS resolution (most do) manually change the DNS to it in my case its the same as my gateway and would look like this:

IP 192.168.100.101

Subnet 255.255.255.0

Gateway 192.168.100.1

DNS 192.168.100.1 <-- Private DNS

After the change I reconnected to my VPN and DNS resolution works over the VPN as expected for internal names.

Why in the world does OSX gets confused when using a Public DNS server is beyond me but I hope this helps someone.

We have also contacted Apple via our enterprise agreement and I am sharing my findings, hopefully the issue will get some traction.