I have this same issue as well, or close enough. I posted on the Apple StackExchange because this is more an issue with trying to understand scutil than it is openconnect. Once we can figure out how to do what we want with scutil, we can, in theory, correct the openconnect scripts to work as desired. https://apple.stackexchange.com/questions/266552/have-openconnect-send-all-dns-to-vpn-nameservers-scutil-sierra I am trying to get dns resolution working using openconnect on MacOS 10.12.2. First off the Cisco AnyConnect client does work, I'm mainly wanting to switch to OpenConnect for scriptability and it's integration with libstoken. Openconnect works fine on linux as well. It's just the integration with macOS where I'm running into trouble. When connected to the VPN, the server sends down two nameservers and a search domain. vpnc-script and macOS attempts to set this up as a sort of scoped query. In reality, we want all dns queries to go the ones provided by the vpn server. A number of older posts around this use networksetup commands, which do not seem to work for me under Sierra (though they have worked for people on older versions). In the below examples, 192.168.1.1 and priv.example.net would be my local network nameserver, while 10.131.10.1[5-6] and core.example.com would be the vpn servers. Under AnyConnect, it puts all three nameservers under "resolver #1". I also notice it somehow detaches these from any interface. When OpenConnect connects, it seems to attach the vpn nameservers to en0 instead of utun0. That seems to be the crux of my problem, because the vpn nameservers are not accessible over en0, only utun0. I can provide a lot more output from scutil (I have pages of comparisons). GOOD (AnyConnect): Under here, notice that resolver #1 is not tied to an interface. dfzmbp:etc ytjohn$ scutil --dns DNS configuration resolver #1 search domain[0] : core.example.com nameserver[0] : 10.131.10.15 nameserver[1] : 10.131.10.16 nameserver[2] : 192.168.1.1 flags : Request A records, Request AAAA records reach : Reachable order : 1 BAD (OpenConnect): dfzmbp:etc ytjohn$ scutil --dns DNS configuration resolver #1 search domain[0] : core.example.com search domain[1] : priv.example.net nameserver[0] : 10.131.10.15 nameserver[1] : 10.131.10.16 nameserver[2] : 192.168.1.1 if_index : 6 (en0) flags : Request A records reach : Reachable resolver #2 domain : core.example.com nameserver[0] : 10.131.10.15 nameserver[1] : 10.131.10.16 flags : Supplemental, Request A records reach : Reachable order : 100800 resolver #3 domain : local
