Using split DNS with OpenVPN: manual configuration required?

wedwards

Hello,

I'm setting up OpenVPN and Unbound (DNS Resolver). I have a few Domain Overrides configured in Unbound. I would like VPN clients to use these Domain Overrides, i.e. split DNS.

In the OpenVPN server configuration, I ticked 'DNS Server enable', and set the pfSense box as 'DNS Server 1'. The DNS server is being pushed to VPN clients, and I see it in scutil --dns on the OpenVPN client:

DNS configuration

resolver #1
  search domain[0] : cyberfusion.nu
  nameserver[0] : 1.1.1.1
  if_index : 6 (en0)
  flags    : Request A records, Request AAAA records
  reach    : 0x00000002 (Reachable)

resolver #2
  domain   : local
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300000

resolver #3
  domain   : cyberfusion.nu
  nameserver[0] : fc00:b6d:980:1:9ae:c2a:e4a:348
  flags    : Supplemental, Request A records, Request AAAA records
  reach    : 0x00000002 (Reachable)
  order    : 101800

cyberfusion.nu is my search domain ('DNS Default Domain'), and fc00:b6d:980:1:9ae:c2a:e4a:348 is pfSense. However, doing nslookup cyberfusion.nu uses resolver #1, which has been manually configured on the client.

Where should I specify the DNS names that VPN clients should use pfSense as DNS server for? Am I supposed to add custom lines to my OpenVPN config under 'Custom options'? Or is it up to the client?