Problem Summary

After disconnecting from a Virtual Private Network (VPN) in a full-tunnel configuration, macOS users may experience a total failure of DNS name resolution. While the internet connection remains active (IP addresses are reachable), hostnames will not resolve. This issue is specifically triggered when the DNS name server IP address provided by the VPN is identical to the DNS IP address of the local network (underlay) interface.


Symptoms

  • The ping [hostname] command returns "Unknown host" or fails to resolve.
  • Web browsers (Safari, Chrome) fail to load pages by name but can load them by direct IP address.
  • The system appears to have no DNS configuration even though the local router is providing one.
  • Low-level diagnostic tools like dig or nslookup may still work, as they bypass the system's centralized resolution APIs.
  • Running scutil --dns may show the correct IP addresses, but they remain functionally "stuck" on a non-existent VPN interface.


    • Technical Cause

    The issue is rooted in the macOS SystemConfiguration framework and the configd daemon. macOS manages network states in a dynamic database (the "Dynamic Store"). When the VPN and the local network use the same DNS IP (e.g., both use 1.1.1.1 or the same local gateway 192.168.1.1), the configd state machine may fail to register the tunnel teardown as a "state-changing" event for DNS.

    Because the numerical IP value has not changed, the system does not trigger the necessary update to the mDNSResponderprocess to redirect traffic from the virtual utun interface back to the physical en0 (Wi-Fi/Ethernet) interface. This leaves the system resolver "pinned" to a defunct virtual path.


    Workarounds & Solutions


    1. Refresh the System Resolver: Force the mDNSResponder daemon to re-read the network configuration and flush its cache. Open Terminal and run: sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder.
    2. Toggle the Network Interface

    Forcing a physical layer transition will often trigger configd to recalculate the Dynamic Store:

  • Wireless: Turn Wi-Fi Off and then on again via the menu bar.
  • Wired: Physically unplug and re-plug the Ethernet cable.
    • 3. Differentiate DNS IP Addresses

    To prevent this bug from recurring, ensure the VPN and local network do not use identical DNS IPs:

  • Home Users: If your home router is set to use Google DNS (8.8.8.8) and your VPN also uses 8.8.8.8, change your home router settings to use a different provider (e.g. Cloudflare 1.1.1.1).
  • Enterprise Admins: Avoid pushing DNS IPs that are commonly used as default gateways (like 192.168.1.1) over the VPN tunnel.
    • 4. Disable Privacy Proxy Features (Ventura/Sonoma/Sequoia)

    Conflict between Apple’s privacy features and VPN state machines can exacerbate this issue:

  • Go to System Settings > Network > Details.
  • Turn OFF "Limit IP Tracking".

    • Apple Bug has been raised by Versa Networks, Reference link: https://feedbackassistant.apple.com/feedback/22080921

    Applies to: macOS Big Sur (11.x), Ventura (13.x), Sonoma (14.x), Sequoia (15.x), Tahoe (26.x)