How to use different DNS servers for specific domains name resolution – VPN Use-Case

Insider Blog




April 21, 2022


What moves us



How to resolve selected domains over VPN on Linux

In today's world, more people than ever use VPN services to work from remote. However, in some cases it's not desirable to route all traffic and all domain name resolutions over the VPN connection. Even if the VPN-Server wants the client to configure itself to work like this, the client can be configured to ignore the request to route all traffic over the VPN connection.

For example, with Openvpn the option

pull-filter ignore redirect-gateway

can be used to tell the openvpn-client to ignore all "route all" requests from the server.

FRITZ!Box example

Recently I had to use a VPN-Connection to a FRITZ!Box. It's a very popular router in Germany that not only offers easy VPN-Connections but also adds all hosts on its network to its own dns. If you want to talk to a machine with the name workstation you can reach it using the "" dns name. The fritz-box itself is also available on the dns name

In my case, I prefer to use my own DNS server for all queries because of speed and privacy reasons - that means, I only want the domains with the suffix to resolve over the FRITZ!Box.

Solution using a local DNS server - dnsmasq

Dnsmasq is a lightweight DNS-Server that you can run on your machine to get control on how the name resolution works. A nice side effect is that it has its own dns cache, making recurring dns queries faster. Here is how I have set it up:

Before you start you need to find out which DNS server is used on the VPN. It's usually the default gateway that usually has a .1 at the end. You can watch the VPN logs closely to learn which DNS server gets pushed on connect.

There is a tool called dig which can do dns queries over specified dns servers, for example

dig @ a

will ask the dns server for the ip of Dig is very handy when debugging dns problems and to test your setup. You may have to install it on your System. On debian, it lives in a package called dnsutils.

First install dnsmasq on your Linux and edit its configuration (usually lives in /etc/dnsmasq.conf). Add these lines here:

server=/ is the domain you want to resolve over the VPN-Dns-server, in this example.

The Resolv-File will tell dnsmasq how it should resolve its dns queries in case there are no other rules, so let's create a /etc/resolv.dnsmasq.conf with content


If you use a static network configuration, you now can just edit it to use as its nameserver. If you use automatic ip configuration using dhcp, you need to configure your dhcp client use the new local dns server. On debian, the default is dhclient. In that case edit /etc/dhcp/dhclient.conf and add:

prepend domain-name-servers;

That's it. All you have to do now is to restart dnsmasq so it reloads its config and reconnect/restart dhclient (disconnecting and reconnecting the network may work, reboot the machine when in doubt).

Now you can check if the file /etc/resolv.conf has


as first nameserver. If it has, the selected domain ( in my example) should now resolve.

On dnsmasq, you can add multiple server= lines, which comes in handy if you have multiple domains that need to be resolved over different DNS servers.

previous article
For developers, for store operators - We don't work with arbitrary frameworks, libraries, plugins and programming languages. We love it professionally. Software created at Helm & Walter should be powerful and lean. Here are our favorites: PHP (recursive acronym for PHP: hypertext preprocessor) is a widely used programming language for ...
June 27, 2017
Bernd Helm
next article
We have released a wrapper that converts Amazon MWS to SP API, offering developers with outdated systems a simple solution. This open-source project provides a practical alternative to redevelopment and supports the continuation of existing applications.
February 21, 2024
Bernd Helm