Have you managed to get WireGuard to do split tunnel DNS? I've been wanting to do this, but couldn't figure out how to make it work on Android, for example.

Since wireguard uses allowed-ips for making routing decisions, it has been straightforward to set one up.

The gist is, on the client configuration:

1. Set DNS server IP against allowed IP in the peer (which is your wireguard server) section.

2. Set DNS entry to the same IP as above for the client interface.

Ref the discussion and the linked blog post (that talks abt Pi-Hole with wireguard): https://news.ycombinator.com/item?id=19544532, https://www.reddit.com/r/WireGuard/comments/bqccdz/split_tun...

Thanks for your answer. I think the sources you linked to are tunneling all of their DNS queries through Wireguard. I don't want to do this, since my work has some DNS records which only resolve internally. Basically I want to be able to give DNS names to the various hosts on my Wireguard network, while falling back to the DNS provided by the network I'm on.

In the config:

DNS = <public-resolver>,<private-reslover>

...wouldn't work?

Edit: per discussion on r/Wireguard, looks like one soln is to run dnsmasq locally on ::53 and forward public queries to the VPN/DNS provider of your choosing and resolve private queries locally.

https://www.reddit.com/r/WireGuard/comments/cmhap6/use_both_...

Yeah, thanks for looking deeper into it. I found before that I could do it by running my own DNS server (like dnsmasq) on the local device (so I could do it no problem on my laptop), but that isn't easy on a phone.