openvpn icon indicating copy to clipboard operation
openvpn copied to clipboard
verified publisher icon OpenVPN

improve `--dns` documentation

Open cron2 opened this issue 4 weeks ago • 1 comments

https://github.com/OpenVPN/openvpn/issues/473 suggests that there are many misunderstandings lurking in the general --dns documentation and also in the interaction between --dns and --dhcp-option <dns related>, quote

This is also missing in docs which implies that dns over-rides dhcp-option which is not really the case always.

my understanding is that it should override, as in "if there is dns configured, dhcp-option is ignored", but I might be wrong, or might be wrong for non-windows platforms.

So, opening a separate issue to improve and clarify documentation.

cron2 avatar Dec 12 '25 14:12 cron2

I tried to improve the docs but not sure I understand it well enough. Here is what I had come up with:

  1. The docs say

The server id is used to group options and also for ordering the list of configured DNS servers; lower numbers come first. DNS servers being pushed to a client replace already configured DNS servers with the same server id.

IMO that gives the impression that servers with different ids all get used with corresponding priority which is not the case. I suggest to add that

Only the group of options corresponding to the lowest priority id is applied.

  1. Windows

--dns options do override --dhcp-option but, on Windows with DHCP emulation active, that is misleading. If DHCP is active, DNS is set using DHCP, not via the service. That means dns options like resolve-domains are just ignored. The end effect is same as using dhcp-option. So this is not a migration path for those with Windows + tap-windows6.

IMO, this should be fixed. Or, at least, we could add:

 Windows only: (i) If tap-windows6 is in use, dns servers are set by
DHCP by default. In this case only ``--dns search-domains`` and
``--dns server n address ..`` with the lowest value of n are interpreted.
All other ``--dns`` options are ignored.

(I believe this could be worked around using --ip-win32 netsh, but I am not keen on encouraging that)

While at it, also document the recent change as

 (ii) If ``--dns server n resolve-domains`` is in use, the DNS server
addresses corresponding to ``n`` are set on the interface only if
``search-domains`` is  also in use.  Otherwise these DNS addresses
are used only for NRPT rules for split-DNS.

selvanair avatar Dec 12 '25 15:12 selvanair