VPN connection - Cisco IPSEC - DNS not updated

2017 and this is still broken in 10.13.0.. I have no words Apple. NO WORDS.

L2TP/IPsec connections are properly set to the top of the DNS priority list while Cisco IPsec connections are not. They don't even appear in the "set service order list" in order to set their priority so the DNS lookups on the Cisco IPsec connections will always fail.

Easy to see the difference with: scutil --dns

I'll open a bugreport with Apple but am NOT holding my breath.

Do you have an update on this? I have the same exact issue with Mac OS X Lion. I also tried to change the service order in the Network settings (thinking that the DNS order would be in the same order as these settings - silly me thinking of that would work).

I didn't need my DNS to change, so the builtin VPN was working for me.

That is until update 10.7.1 was applied today.

Now the VPN makes the connection, but DNS does not work at all.

If I know the IP numbers, I can make some things work.

So, what did they change in the 10.7.1 update?

I have the same issue. Was working fine under Snow Leppard, but under Lion DNS is not working. I'm lucky if I can connect sometimes too.

My understanding is that the DNS settings provided by the VPN endpoint are not merged or inserted in the local TCP stack. As a result, no private host names are resolved.

My workaround for this is to do the following:

In the Network settings, start by duplicating your current location (via "Edit Locations..." menu and in the litle gear menu, invoke "Duplicate Location" and give it a name like "VPN"). I did that initial step because I want to be able to switch back and forth between a VPN-enabled location and my default normal location. If this is not a concern for you, you can skip that initial step. Personally, I don't want my machine to try (and fail) connecting to the private DNS services when I'm not connected.

Once duplicated, switch to it by selecting it in the list. You should see the same list of services in the left panel. Now click the [+] to create a VPN (Cisco IPSec) like you would do normally. Once you entered all required settings, you can Apply the changes and Connect. Once connected to your VPN, you can now do the next steps to fix the host name resolution issue.

Select that VPN service in the left panel and click the Advanced... button in the main dialog in order to see the DNS / Proxies settings. Take note of the listed DNS servers addresses (they should be displayed with a grey colour). You can now cancel that dialog and select your Ethernet service (or Wi-FI service). Click Advanced... on this one and go to its DNS tab, take note again of your current network DNS addresses (again in grey colour). Now is the time to enter all these values in that box. Enter first the VPN DNS addresses and then the non-VPN ones. You can re-order the list with drag & drop too. Once done, you close that dialog and Apply the changes again.

You can now start your browser and test a site living on your private network. Your host's name should be resolved now.

One last note: if your private network has many domains (e.g. *.sub1.company.com, *.sub2.company.com), you may need to add them in the Search Domains box (e.g. sub1.company.com). This is done in the same DNS dialog settings.

Good luck!

Thanks, but this did not work for me. I tested my VPN connection on someone else's hotspot and could connect fine. I do have a Time Capsule at home and wonder if it's a bug bewteen the TC and Lion. I did not have these issues on Snow Leopard.

I wish that Apple replied to these posts.... It is quite discouraging to see that others have the same problem as I, and yet Apple leaves us to our own devices to find solutions.

This is definately a problem with the Lion version of the VPN client. This functionality worked correctly under Snow Leopard...

drod66's technique worked for me: Duplicate "automatic" location, call it "VPN". Create your VPN config only in the "VPN" location. Define your internal (inside VPN) DNS server IP addresses statically in the VPN location and your ISPs DNS server IP addresses statically in the Automatic location.

Remember, you have to hit "apply" when you switch locations, and if you start the VPN in Automatic, it will bomb off when you switch to VPN.

Baffled why this is still broken in 10.7.3. Believe me, it's a PITA to support corporate VPN users which this breakage.

Is it also broken in non-IPSec clients, like OpenVPN, I wonder?

BTW-- This worked for me.

However, it is still a work-around that Apple should fix. I really do not want to add manual DNS lists to every wifi location I use.

Alternately, I could beg my company to add internal IP addresses for their internal sites on their external CNAME records... but that is silly.

It works!

Thanks