How to use different DNS servers on specific domains for resultion – VPN Use-Case

How to resolve selected domains over VPN on Linux

In todays world, more people use VPN services to work from remote than ever. However, in some Cases its not desirable to route all traffic and all domain name resolutions over the VPN connection. Even if the VPN-Server wants the client to configure itself to work like this, the client can be configured to ignore the request to route all traffic over the VPN connection.

For example, with Openvpn the option

pull-filter ignore redirect-gateway

can be used to tell the openvpn-client to ignore all "route all" requests from the server.

Fritz Box Example

Recently i had to use a VPN-Connection to a fritz-box. Its an very popular router in Germany that not only offers easy VPN-Connections but also adds all hosts on its network to its own dns. If you want to talk to a machine with the name "workstation" you can reach it using the "" dns name. Also the fritz-box itself is available on the dns name "".

In my case, i prefer to use my own DNS server for all my querys for speed and privacy reasons - so i only want these with the suffix to resolve over the fritzbox.

Solution using a local DNS Server - dnsmasq

Dnsmasq is a lightweight DNS-Server that you can run on your machine to get control on how the name resolution works. A nice side-effect is that it has its own dns cache, making recurring dns queries faster. Here is how i have set it up:

Before you start you need to find out which DNS server is used on the VPN. Its usually the default gateway that usually has a .1 at the end. You can watch the VPN logs closely to learn which DNS server gets pushed on connect.

There is a tool called dig which can do dns queries over specified dns servers, for example

dig @ a

will ask the dns server for the ip of Dig is very handy when debugging dns problems and to test your setup. You may have to install it on your System. On debian, it lives in a package called dnsutils.

First install dnsmasq on your Linux and edit its configuration (usually lives in /etc/dnsmasq.conf). Add these lines here:

server=/ is the domain you want to resolve over the VPN-Dns-server, in this example.

The Resolv-File will tell dnsmasq how it should resolve its dns queries in case there are no other rules, so lets create a /etc/resolv.dnsmasq.conf
with content


In this example, i use the cloudflare public dns and you can use it as it is - or add your local lan dns server here.

If you use a static network configuration, you now can just edit it to use as its nameserver. If you use automatic ip configuration using dhcp, you need to configure your dhcp client use the new local dns server. On debian, the default is dhclient. In that case edit /etc/dhcp/dhclient.conf and add:

prepend domain-name-servers;

Thats it. All you have to do now is to restart dnsmasq so it reloads its config and reconnect/restart dhclient (disconnecting and reconnecting the network may work, reboot the machine when in doubt).

Now you can check if the file /etc/resolv.conf has


as first Nameserver. If it has, the selected domain ( in my example) should now resolve.

On dnsmasq, you can add multiple server= lines, which comes in handy if you have multiple domains that need to be resolved over different DNS servers.