VPN DNS configuration bug in OS X


I am using TunnelBlick to connect to an VPN (OpenVPN) with OS X 10.9.2. I can authenticate and pass traffic but the DNS entries injected from the VPN do not work.

Here is the output of scutil --dns (resolver #1 is the correct DNS server injected by Tunnelblick)

resolver #1
  search domain[0] : XXXXX.net
  nameserver[0] :
  if_index : 5 (en1)
  flags    : Request A records
  reach    : Reachable

The problem is if_index should be tap0 and not en1. From ifconfig:

    ether e4:ce:8f:1b:42:cc
    inet6 fe80::e6ce:8fff:fe1b:42cc%en1 prefixlen 64 scopeid 0x5
    inet netmask 0xffffff00 broadcast
    nd6 options=1<PERFORMNUD>
    media: autoselect
    status: active

    ether 0a:83:8d:37:dc:b9
    inet netmask 0xffff0000 broadcast
    open (pid 4997)

nslookup, dig, and host all can reach the DNS server correctly but the rest of OS X cannot (I understand these have a standalone resolution mechanism that do not rely on the rest of OS X). I have confirmed with Wireshark that the DNS packets sent by nslookup et. al. go out tap0 and DNS packets sent by other programs (eg ping) go out eth0 and of course never get to their destination. Could it be possible that scutil doesn't actually look at the routing table before sending packets?? If so how can I edit the scutil entry to correct the if_index?

Tunnelblick is configuration drop down is set for set nameserver and the relevant portion of my server.conf is shown below. Since I am getting the DNS information correctly I think the problem is with OS X and its scutil setup.



# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses.  CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
push "dhcp-option DNS"
push "dhcp-option DOMAIN wattsworth.net"

asked on Super User Mar 26, 2014 by user310577 • edited Jun 23, 2016 by techraf

1 Answer


Struggling with the same problem, I found that running scselect command with new-location-name set to the same as currently used did reset the network settings and DNS started working through VPN.

At the same time scutil results remained constant (i.e. it shows the if_index set to the Ethernet interface).

First run scselect with no arguments to learn the GUID of currently used location, then again with the intended location as an argument.

answered on Super User Jun 23, 2016 by techraf

User contributions licensed under CC BY-SA 3.0