Public DNS times out when connected to Cisco IPSec VPN on macOS

I have been using 1.1.1.1 and 1.0.0.1 on macOS for months. I connect to various Cisco IPSec VPN servers inside of AWS for work purposes and this all worked previously with no issue. Just recently (last week or so) when I connect to a Cisco IPSec VPN server inside of AWS I lose DNS capability locally completely using CloudFlare:

Local network works just fine

MacBook-Pro ➜  ~ dig +short google.com
64.233.185.139
64.233.185.113
64.233.185.138
64.233.185.102
64.233.185.101
64.233.185.100

When I connect to a IPSec VPN server though:

MacBook-Pro ➜  ~ dig +short google.com
;; connection timed out; no servers could be reached

I can ping 1.1.1.1 when connected to the AWS VPN which again, points to DNS failing to resolve:

MacBook-Pro ➜  ~ ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: icmp_seq=0 ttl=38 time=51.987 ms
64 bytes from 1.1.1.1: icmp_seq=1 ttl=38 time=77.721 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=38 time=55.962 ms
^C
--- 1.1.1.1 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 51.987/61.890/77.721/11.311 ms

Did something recently change with CloudFlare public DNS? As mentioned, this used to work and nothing changed on my end.

Nothing has changed at Cloudflare.

Thanks for the reply @sdayman.

Here is the output when not connect to the Cisco IPSec VPN, and it works:

However, I’d like to run it again, when connected to the Cisco IPSec VPN, but I cannot because of the DNS resolution issue. Should I just hardcode cloudflare-dns.com into my /etc/hosts as 104.16.248.249 and retry?

And additional output of requested commands when connected to IPSec VPN, sorry meant to put into output into the original reply. You’ll see explicitly providing @1.1.1.1 works. The more I dive into this, I think it may be a bug in macOS that was introduced with latest update 10.15.5. All my IPSec VPN connections have this issue, before this worked.

MacBook-Pro ➜  ~ dig example.com @1.1.1.1

; <<>> DiG 9.10.6 <<>> example.com @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26652
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;example.com.			IN	A

;; ANSWER SECTION:
example.com.		69541	IN	A	93.184.216.34

;; Query time: 84 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sun Jul 05 14:57:16 CDT 2020
;; MSG SIZE  rcvd: 67

MacBook-Pro ➜  ~ dig +short CHAOS TXT id.server @1.1.1.1
"SEA"

MacBook-Pro ➜  ~ dig @ns3.Cloudflare.com whoami.Cloudflare.com 89 txt +short
dig: couldn't get address for 'ns3.Cloudflare.com': not found

Hi, sounds like your VPN might be overwriting your DNS settings, so maybe take a look into that.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.