resolvectl ignores new VPN network adapter

I have a strange problem when I connect to a company VPN with forticlient application. First, I did not know what was wrong. After spending some time, I figured out that DNS is not working as it should have. Unfortunately, I have no idea, who's fault is that. It may be FortiClient, systemd-resolved, or something else. I am using Ubuntu 22.04, which is not an official version yet, but I have doubts it will get any better until official release in a week or two. This is output from resolvectl before VPN is established: username@hostname:~$ resolvectl Global Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported resolv.conf mode: stub Link 2 (enp2s0) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Link 3 (wlp1s0) Current Scopes: DNS Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 192.168.1.1 DNS Servers: 192.168.1.1 2a00:ee0:d::13 2a00:ee0:e::13 DNS Domain: -- After VPN is established resolvectl reports additional link called vpn: username@hostname:~$ resolvectl Global Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported resolv.conf mode: stub Link 2 (enp2s0) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Link 3 (wlp1s0) Current Scopes: DNS Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 172.20.1.21 DNS Servers: 172.20.1.16 172.20.1.21 2a00:ee0:d::13 2a00:ee0:e::13 DNS Domain: company.com Link 5 (vpn) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported As you can see additional DNS servers are added to Link 3, which should help me resolve internal names when connected to VPN. Strange thing is that when I write username@hostname:~$ resolvectl query name.company.com name.company.com: resolve call failed: 'name.company.com' not found I do not get anything. If I try with nslookup like this username@hostname:~$ nslookup > server 172.20.1.16 Default server: 172.20.1.16 Address: 171.20.1.16#53 > name.company.com Server: 172.20.1.16 Address: 172.20.1.16#53 Name: name.company.com Address: 172.20.38.251 I get the correct answer. Since this was strange I traced network traffic to see what does nslookup differently than resolvectl query. It turned out that nslookup uses a VPN assigned address for the source IP when asking DNS for a name. On the other hand, resolvectl query uses all other addresses for source IP except the one assigned by VPN. Because of that I guess DNS server does not have the route to send back an answer correctly to my computer, or DNS queries may even not reach the newly added DNS servers. Because of that none of the programs I need can resolve the names correctly. The result is that I cannot connect anywhere within a VPN with a domain name. Does anybody have an idea how to make resolvectl realize there is newly assigned VPN address, and it should use it as the source IP. Should FortiClient do some additional configutation on establishing a connection? Probably not. I tried to restart systemd-resolved after VPN is established, but it does not help. Should I restart some other service? Which one? ---------- Update: I have checked how DNS is setup in network settings, and they are correct. Without VPN the network interface wlp1s0 shows: username@hostname:~$ nmcli device show wlp1s0 | grep DNS IP4.DNS: 192.168.1.1 IP6.DNS: 2a00:ee0:d::13 IP6.DNS: 2a00:ee0:e::13 After VPN is connected: username@hostname:~$ nmcli device show wlp1s0 | grep DNS IP4.DNS: 172.20.1.16 IP4.DNS: 172.20.1.21 username@hostname:~$ nmcli device show vpn | grep DNS IP4.DNS: 172.20.1.16 IP4.DNS: 172.20.1.21