VPN.DNS

The transport protocol to communicate with the DNS server.

The primary domain of the tunnel.

That UUID that points to an identity certificate payload. The system uses this identity to authenticate the user to the DNS resolver.

The list of domain strings used to fully qualify single-label host names.

The array of DNS server IP address strings. These IP addresses can be a mixture of IPv4 and IPv6 addresses.

The hostname of a DNS-over-TLS server to validate the server certificate, as defined in RFC 7858. If ServerAddresses isn’t specified, the system uses the hostname to determine the server addresses. This key is required if the DNSProtocol is TLS.

The URI template of a DNS-over-HTTPS server, as defined in RFC 8484, which needs to use the https:// scheme. The system uses the hostname or address in the URL to validate the server certificate. If ServerAddresses isn’t specified, the system uses the hostname or address in the URL to determine the server addresses. This key is required if the DNSProtocol is HTTPS.

The list of domain strings used to determine which DNS queries use the DNS resolver settings in ServerAddresses. The system uses this key to create a split DNS configuration where it resolves only hosts in certain domains using the tunnel’s DNS resolver. The system uses the default resolver for hosts that aren’t in one of the domains in this list.

If SupplementalMatchDomains contains the empty string it becomes the default domain.

Split-tunnel configurations can direct all DNS queries to the VPN DNS servers before the primary DNS servers. If the VPN tunnel becomes the network’s default route, the servers listed in ServerAddresses become the default resolver and the system ignores the SupplementalMatchDomains list.

If 0, append the domains in the SupplementalMatchDomains list to the resolver’s list of search domains.