Unable to get split DNS working with Wireguard

[awein]

Summary

I was hoping that Passepartout supports what the native WG client does not: Split DNS. But it looks like it does not work as intended.

Steps to reproduce

• Configure manual DNS by setting the DNS server IP to the internal DNS server (e.g. 172.16.1.1)
• Configure the domain and search domain to point to the internal domain (e.g. internal.domain)

What is the current bug behavior?

172.16.1.1 will be used as default DNS server on iOS and macOS. This can be observed by checking the network traffic and will show that domains like apple.com are resolved through it as well.

What is the expected correct behavior?

172.16.1.1 should only receive DNS queries for internal.domain and it's subdomains, but not any other DNS queries.

Relevant logs and/or screenshots

Observations from scutil output on macOS

• Global DNS settings will show the LAN search domain but the VPN DNS server

  > show State:/Network/Global/DNS
  <dictionary> {
  SearchDomains : <array> {
  0 : lan
  }
  SearchOrder : 103800
  ServerAddresses : <array> {
  0 : 172.16.1.1
  }
  __CONFIGURATION_ID__ : Supplemental: 62FCF1C9-F651-4A03-9FEB-06A8476BB97A 0
  __FLAGS__ : 16390
  __ORDER__ : 0
  }

• The VPN DNS configuration includes an empty string in SupplementalMatchDomains

  > show State:/Network/Service/62FCF1C9-F651-4A03-9FEB-06A8476BB97A/DNS
  <dictionary> {
  SearchDomains : <array> {
  0 : internal.domain
  1 : internal.domain
  }
  ServerAddresses : <array> {
  0 : 172.16.1.1
  }
  SupplementalMatchDomains : <array> {
  0 : 
  }
  }

Configuration screenshot

Possible fixes suggested remediation

SupplementalMatchDomains being set to an empty string explains the behaviour (Apple documentation). Cloud it be that matchDomains is set to a value that includes and empty string?