Skip to main content

Split DNS

Configure per-tunnel DNS routing so only specific domain queries go through your VPN connection.

How It Works

Split DNS lets you route DNS queries for specific domains through the VPN tunnel while leaving all other DNS queries on your default network. This is useful when you need to resolve internal hostnames (such as company intranet domains) through the VPN without sending all DNS traffic through the tunnel.

When split DNS is configured for a tunnel, the system intercepts DNS queries and checks the domain against the configured rules:

  • Match Domains — DNS queries for these domains are sent through the VPN tunnel's DNS servers. For example, if you add corp.example.com, any lookup for server.corp.example.com will be resolved through the tunnel.
  • Search Domains — Fallback domains that are appended when a bare hostname query fails. For example, if you add example.com as a search domain, a query for intranet will retry as intranet.example.com.

Configuring Split DNS

Split DNS is configured per-tunnel in the Vylos tab of the tunnel form editor. You can set it when creating a new tunnel or by editing an existing one.

  1. Open the tunnel editor (create new or edit existing).
  2. Navigate to the Vylos settings section.
  3. Add entries to the Match Domains list to route specific domain queries through the tunnel.
  4. Optionally add entries to the Search Domains list for fallback domain resolution.

Domain Validation

Each domain entry must be a valid hostname. The accepted format follows this pattern:

[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?)*

In plain terms:

  • Must start and end with a letter or digit.
  • May contain hyphens, but not at the start or end of a label.
  • Labels are separated by dots.
  • No spaces, underscores, or special characters.

Examples of valid domains: example.com, internal.corp.example.com, my-service.

The .vylos File Format

Split DNS settings are stored in the .vylos file format, which accompanies the standard WireGuard .conf configuration file. The .vylos format uses INI-style syntax.

The [SplitDNS] section contains two keys:

KeyDescriptionFormat
DomainsDomains whose DNS queries are routed through the tunnel.Comma-separated
SearchDomainsFallback domains appended to bare hostname queries.Comma-separated

Example

[SplitDNS]
Domains = corp.example.com, internal.example.com
SearchDomains = example.com

In this example, DNS queries for corp.example.com and internal.example.com (and their subdomains) are resolved through the VPN tunnel. The search domain example.com is appended as a fallback when a bare hostname query fails.