How to resolve selected domains over VPN on Linux
In today's world, more people than ever use VPN services to work from remote. However, in some cases it's not desirable to route all traffic and all domain name resolutions over the VPN connection. Even if the VPN-Server wants the client to configure itself to work like this, the client can be configured to ignore the request to route all traffic over the VPN connection.
For example, with Openvpn the option
pull-filter ignore redirect-gateway
can be used to tell the
openvpn-client to ignore all "route all" requests from the server.
Recently I had to use a VPN-Connection to a FRITZ!Box. It's a very popular router in Germany that not only offers
VPN-Connections but also adds all hosts on its network to its own dns. If you want to talk to a machine with the name
workstation you can reach it using the "workstation.fritz.box" dns name. The fritz-box itself is also available on the
In my case, I prefer to use my own DNS server for all queries because of speed and privacy reasons - that means, I only
domains with the
fritz.box suffix to resolve over the FRITZ!Box.
Solution using a local DNS server - dnsmasq
Dnsmasq is a lightweight DNS-Server that you can run on your machine to get control on how the name resolution works. A nice side effect is that it has its own dns cache, making recurring dns queries faster. Here is how I have set it up:
Before you start you need to find out which DNS server is used on the VPN. It's usually the default gateway that usually
.1 at the end. You can watch the VPN logs closely to learn which DNS server gets pushed on connect.
There is a tool called
dig which can do dns queries over specified dns servers, for example
dig @192.168.1.1 a fritz.box
will ask the dns server
192.168.1.1 for the ip of
Dig is very handy when debugging dns problems and to
your setup. You may have to install it on your System. On debian, it lives in a package called
dnsmasq on your Linux and edit its configuration (usually lives in
/etc/dnsmasq.conf). Add these lines
fritz.box is the domain you want to resolve over the VPN-Dns-server,
192.168.1.1 in this example.
The Resolv-File will tell
dnsmasq how it should resolve its dns queries in case there are no other rules, so let's
If you use a static network configuration, you now can just edit it to use
127.0.0.1 as its nameserver. If you use
automatic ip configuration using dhcp, you need to configure your dhcp client use the new local dns server. On debian,
the default is
dhclient. In that case edit
/etc/dhcp/dhclient.conf and add:
prepend domain-name-servers 127.0.0.1;
That's it. All you have to do now is to restart
dnsmasq so it reloads its config and reconnect/restart
(disconnecting and reconnecting the network may work, reboot the machine when in doubt).
Now you can check if the file
as first nameserver. If it has, the selected domain (
fritz.box in my example) should now resolve.
dnsmasq, you can add multiple
server= lines, which comes in handy if you have multiple domains that need to be
resolved over different DNS servers.