VPN
Q: Why does the HYAS Protect agent stop working on macOS when a VPN connection is established?
When using full-tunnel VPNs like Palo Alto GlobalProtect (with split tunneling disabled), macOS overrides system DNS settings to prioritize internal VPN resolvers. As a result, the loopback DNS proxy used by the HYAS Protect agent (typically at 127.0.0.1:53) may be bypassed, preventing DNS queries from being inspected or sent to HYAS.
Q: Does this issue affect Windows devices too?
No. On Windows, the DNS resolver stack handles multiple entries differently and typically continues to allow DNS traffic to reach the HYAS Protect agent — even after a VPN connection is made — provided the agent is installed and the VPN configuration is consistent with supported use cases.
Q: Is this a HYAS-specific issue?
No, this behavior stems from how macOS handles DNS precedence and system routing when VPN connections are active. Many local DNS-based security solutions experience similar behavior unless explicitly accounted for in the VPN or OS configuration.
Q: How can I confirm if this issue is occurring on my macOS device?
Run the following command in Terminal after connecting to the VPN:
Look for 127.0.0.1 under the list of resolvers.
If it's missing or deprioritized, the agent is likely being bypassed.
To test it directly:
CODE
dig @127.0.0.1 example.com
Q: What are the recommended workarounds to restore functionality on macOS while using a VPN?
You have a few options:
Use a split-tunnel or split-DNS VPN configuration
Manually configure macOS to prioritize the local DNS proxy
Engage your VPN administrator
