Target: I would like the openvpn client on macOS using tunnelblick to use the VPN provider's DNS server first, and if it cannot resolve a DNS name there, it should use my local DNS server.
Situation: a local DNS server provides names/IPs for machines on the LAN, and also resolves names on remote DNS servers for names of machines on the WAN. When connected to the VPN provider, the openvpn server pushes dhcp-option DNS . In this situation local machine's DNS names do not get resolved, if connected to the openvpn server at the provider. This is clearly not what one wants. I am aware that modern macOS does not use /etc/resolv.conf and therefore I am testing the resolution using the browser to access local or remote machines and dnsleaktest.com to check which DNS server is used!
Problem: When using "dhcp-option DNS ", it will be prioritized over the VPN DNS server. Then local machine names do get resolved, but when resolving names on the WAN, this will also be done by the local DNS server, which represents a DNS leak (as is verifiable using dnsleaktest.com). This is clearly also not what one wants.
Unfortunately, using: pull-filter accept "dhcp-option DNS” before or after "dhcp-option DNS " will not(!) influence the order in which DNS servers are queried. In fact it seems that only 1 DNS server gets queried, even if the answer is NXDOMAIN no other DNS server gets queried.
I would really like the VPN DNS server to be queried first, and if it fails, the local DNS server should be queried. The chance for a DNS leak should be small / zero then?
Overall, I am stuck here, I do not seem to find a way to use tunnelblick in a way as the target statement describes. Can you confirm, that this is not possible, or could you provide a solution?
dhcp-optionentries to the client config? This is normally how this is addressed, but it depends if the 3rd party VPN provider's servers will honor these. See Lines 92 - 97 in this example server config, but the same options can be specified in the client's config