We’ve encountered a limitation with ZeroTier where DNS servers configured within the network settings are only used for the specific domain configured. Ideally, when routing all traffic through ZeroTier (no split tunnelling), we would expect all DNS queries to also resolve through the DNS servers assigned by ZeroTier.
On Windows, we’re currently working around this by manually configuring the DNS servers via PowerShell during installation. However, we’re unable to apply the same approach on macOS.
Even after manually assigning DNS servers to the ZeroTier interface on macOS and prioritising this interface above Wi-Fi, DNS resolution still defaults to the servers configured on the Wi-Fi interface.
Is there a recommended way to override this behaviour on macOS so that all DNS traffic is consistently resolved via the DNS servers manually set on ZeroTier’s “thunderbolt” interface?
ChatGTP says this:
Known Limitation (macOS System Resolver)
macOS uses a proprietary DNS resolver (mDNSResponder) that does not fully respect interface priorities or manually set DNS servers in all cases. If there’s an active Wi-Fi connection with DHCP-provided DNS, it often takes precedence — even when interface order is changed.
Workarounds
Use a local DNS proxy like dnsmasq to forward all queries through ZeroTier DNS.
Disable Wi-Fi DNS servers entirely (networksetup -setdnsservers Wi-Fi Empty).
Add specific domains to /etc/resolver/ to force some traffic via ZeroTier DNS (e.g., internal.company).
BUT we don’t want to limit the domain or Disable Wi-Fi DNS servers entirely as this servers as a backup in case ZeroTier experiences an issue.
This seems to be a major limitation of ZeroTier compared with other VPN Client solutions where DNS servers can be set along with other network settings.
Any suggestions towards a solution to our problem would be appreciated.
The Zerotier DNS integration is working as designed. It’s not meant to take over the primary interfaces and configuration including DNS, but to supplement it for specific domains when connected to specific networks. Assigning DNS servers to the Zerotier interface isn’t going to do anything since it’s not the primary interface.
The configuration of the primary network interface (the one at the top of the list in System Settings>Network) will always be the one that wins for DNS queries, so you’ll need to override the DNS Servers in the Wifi configuration, but this may be a fragile solution as I think you’ll need to set this manually for every individual wifi network that the computer connects to.
ChatGPT is bullshitting you based on outdated information.
If you’re trying to understand what the DNS resolution configuration on MacOS looks like while troubleshooting to make sure it has the settings you expect use
scutil --dns
The first parts is the current DNS setup and there will be a second section for the scoped queries proposed by your zerotier configuration.
Thanks, Eric. To summarise, this behaviour reflects a limitation in how ZeroTier handles DNS compared to traditional VPN clients like IPsec or SSL VPN, which often enforce DNS settings across all domains by pushing them directly to the system’s resolver.
It’s a different approach for solving slightly different problems/use cases.
Traditional VPNs are designed to put the PC on a single network, optimised to push all traffic over that link and basically become the primary network interface with all of the associated configuration. Configuring split tunneling on traditional VPNs can be complicated.
Zerotier is optimised to allow a PC to participate in multiple networks with individual security profiles. This allows for a kind of micro-segmentation and associating DNS services on a per connection basis. Split tunneling is the core of a Zerotier design in most cases where you use the internet for internet traffic, but it isn’t the default route for everything, just what’s required from the network you’re connected to.
For the use case you’re describing, Wireguard may be a better fit.
Known Limitation (macOS System Resolver)
Workarounds