diff --git a/src/dns/nm-dns-manager.c b/src/dns/nm-dns-manager.c
index f11e104817..635e94f69f 100644
--- a/src/dns/nm-dns-manager.c
+++ b/src/dns/nm-dns-manager.c
@@ -1332,11 +1332,28 @@ rebuild_domain_lists(NMDnsManager *self)
 
     head = _ip_config_lst_head(self);
     c_list_for_each_entry (ip_data, head, ip_config_lst) {
-        NMIPConfig *ip_config = ip_data->ip_config;
+        NMIPConfig *ip_config    = ip_data->ip_config;
+        gboolean    add_wildcard = FALSE;
 
         if (!nm_ip_config_get_num_nameservers(ip_config))
             continue;
-        if (nm_ip_config_best_default_route_get(ip_config)) {
+        if (nm_ip_config_best_default_route_get(ip_config))
+            add_wildcard = TRUE;
+        else {
+            /* If a VPN has never-default=no but doesn't get a default
+             * route (this can happen for example when the server
+             * pushes routes with openconnect), and there are no
+             * search or routing domains, then the name servers pushed
+             * by the server would be unused. It is preferable in this
+             * case to use the VPN DNS server for all queries. */
+            if (ip_data->ip_config_type == NM_DNS_IP_CONFIG_TYPE_VPN
+                && !nm_ip_config_get_never_default(ip_data->ip_config)
+                && nm_ip_config_get_num_searches(ip_data->ip_config) == 0
+                && nm_ip_config_get_num_domains(ip_data->ip_config) == 0)
+                add_wildcard = TRUE;
+        }
+
+        if (add_wildcard) {
             if (!wildcard_entries)
                 wildcard_entries = g_hash_table_new(nm_direct_hash, NULL);
             g_hash_table_add(wildcard_entries, ip_data);