Had an interesting problem today with a Mac OS X 10.7.5 end user working with the Apple built-in Cisco IPSEC VPN client. The end user was using a VPN profile that has split tunneling enabled.
Internal servers could not be reached via their DNS address (ip address did work). The vpn interface was getting the correct DNS settings, the Ethernet interface and WiFi interface were only getting the end users home internet connection DNS settings.
Unfortunately the VPN DNS isn't overriding the ISP's. Doesn't matter whether I change the order of services either.
Manually added the DNS to the interfaces and it works as expected but doing it that way means the end user won't be able to resolve anything when not connected to the VPN.
This is a workaround... real quick one, haven't researched it yet. Will update with more details when I have time.