How do you set the first DNS server issued by DHCP on OS X?

There is a server which is strongswan, bind9, isc-dhcp-server.

/etc/ipsec.conf
config setup

conn %default

dpdaction=clear
dpddelay=35s
dpdtimeout=2000s

keyexchange=ikev2
auto=add
rekey=no
reauth=no
fragmentation=yes

 # 
left=%any
leftsubnet=10.10.10.0/24
leftcert=vpn.site.com.crt
leftsendcert=always

#
right=%any
rightsourceip=%dhcp
eap_identity=%identity

conn ikev2 mschapv2
rightauth=eap-mschapv2

conn ikev2 mschapv2-apple
rightauth=eap-mschapv2
 leftid=vpn.site.com


/etc/strongswan.d/charon/dhcp.conf:
dhcp {
 force_server_address = yes
 interface = vmbr1
 load = yes
 server = 10.10.10.255
}


The problem is that when connected to the VPN, the DNS server issued by DHCP becomes the second:

$ scutil --dns
NS configuration (for scoped queries)

resolver #1
 nameserver[0] : 192.168.1.1
 if_index : 4 (en0)
 flags : Scoped, Request A records
Reachable, Directly Reachable Address

resolver #2
 nameserver[0] : 10.10.10.1
 if_index : 12 (ipsec0)
 flags : Scoped, Request A records
Reachable, Transient Connection, Connection Required, Automatic Connection On Demand


resolver #1 - taken from the first connection(Wi-Fi).
Drag the VPN connection in network settings is impossible.
Is it possible to make it so that he would become the first, or the only one?
July 9th 19 at 10:17
2 answers
July 9th 19 at 10:19
Can offer in the config to swap the left and right like this:
#
right=%any
leftsubnet=10.10.10.0/24
leftcert=vpn.site.com.crt
leftsendcert=always

#
left=%any
rightsourceip=%dhcp
eap_identity=%identity

Kakbe is a crutch, even more experiment with the config.
Or look at the bind configuration what about redirectors, check may work.
On the Mac resolver #1 issued en0 higher than I need resolver #2(ipsec0).
Ie I can via /etc/resolv.conf or Network->Wifi->Dns set to 10.10.10.1 and all will work as it should.
Here the question is how priority ipsec0 to stand above the en0? And preferably via ipsec. - Barton.Kub commented on July 9th 19 at 10:22
Extreme case I have leftsubnet=0.0.0.0/24 that would listen. But I don't like. - Barton.Kub commented on July 9th 19 at 10:25
July 9th 19 at 10:21
In General, climbed the entire Internet, came to the conclusion that you need to listen to or all traffic(leftsubnet=0.0.0.0/0) or use split dns.

Find more questions by tags Domain name systemNetwork administration