When I upgraded to OS X 10.7 (Lion), I started using the built-in IPSec VPN client rather than Cisco's VPNClient. I experienced problems immediately. At first it appeared that the connection was being made, but no traffic was passing. When I tried pinging by IP address, I found that traffic was passing, but I couldn't do anything by hostname.
The problem is fairly well documented. Lion appears to prefer your original connection DNS servers rather than the servers assigned when the VPN connection comes up. Lots of Lion DNS lookup order workarounds have been proposed, but my preferred solution so far is to change the service order in the Network pane of System Preferences. By dragging my VPN connection to the top, I guarantee that the DNS servers specified in that connection will be the ones used.
This has solved my problem in most cases. Certain command line tools (host, dig, nslookup) do not honor the order, but that's a trivial problem.
"Certain command line tools (host, dig, nslookup) do not honor the order, but that's a trivial problem."
Except for those of us who regularly have to connect to servers inside the private network, e.g., using ssh. Let's be open and frank about this and admit that Apple, once again, did a royal fuckup with basic system functionality. What am I supposed to do with a VPN client that won't honor standards that have been around for decades on every kind of operating system in existence? Write my own /etc/resolv.conf for every VPN I happen to use?
Well done, Apple.
I'm running Mountain Lion and I can confirm that CLI tools do respect the network order. (At least both host and ssh are working fine for me.)
So apparently Apple fixed one minor bug inside the major bug. :)
This solution not working for me under Mountain Lion
I set VPM conection as first position in services list but I am still having local dns without search domain. System still asking local dns server :(
In vpn setiings I cann se adresses of dns servers I take after creating connection
also using 10.8 and it is not honoring the order. the anyconnect client works out of the box. any ideas?
This solution did not work for me either. Following worked for me on OS X Mountain Lion:
----------------------------
create a folder under /etc/ called: ‘resolver’
cd /etc/resolver
vi my.domain.com (or pico, or emacs, or whatever command line editor you are comfortable with)
insert in the following lines:
nameserver XXX.XXX.XXX.XXX
nameserver XXX.XXX.XXX.XXX
domain my.domain.com
(obviously, replace all the XXX’s with your primary and secondary DNS servers, and all the my.domain.com’s with your default domain.) Save, connect to VPN, and leave flowers at my doorstep.
Here is a printout to the example file: /etc/resolver/example.company.com
nameserver 4.2.2.2
nameserver 4.3.3.3
domain examplecompany.com
FWIW, kravir's fix did not work for me. I don't understand how DNS resolution works in Mac OS, but by experiment I found that
nslookup somehost.mycompany.com
still uses the connection's default nameserver, not 4.2.2.2.
The resolver I added for mycompany.com appears at the very bottom of the list when I run scutil --dns.
Thanks, Apple.