1.6.0 beta 13 loses "Apply DNS simultaneously"?

Got a problem with Viscosity or need help? Ask here!

damon

Posts: 2
Joined: Tue Feb 09, 2016 3:00 am

Post by damon » Tue Feb 09, 2016 3:13 am
Hi,
1.5.10 and most 1.6.0 betas before 1.6.0 Beta13 have an option Preferences > Advanced > Network Settings > Apply DNS simultaneously.

Beta13 drops that: there's no configuration option, and my VPN config (which, for right or wrong, depends on that) no longer works.

Is the feature temporarily misplaced, or did you remove it purposefully?

Thanks!

Eric

User avatar
Posts: 1146
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Tue Feb 09, 2016 10:29 am
Hi Damon,

This option is now configurable per connection with the inclusion of Split DNS support for Windows. Edit the connection and go to Networking where you will find a DNS Mode option. Automatic will try to determine the DNS Mode required itself, otherwise you can set Full DNS (old Simultaneous DNS option unticked equivalent) or Split DNS which will use a local DNS Proxy which will forward DNS requests to the correct DNS Server defined by Domains set in Windows and your connections in much the same way a Linux or Mac based system would do.

This is a first beta release for this new system so we are expecting some bugs while we continue development and testing before going to release.

If you are looking for a different behaviour to either of these, please let us know.

Regards,
Eric
Eric Thorpe
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

damon

Posts: 2
Joined: Tue Feb 09, 2016 3:00 am

Post by damon » Wed Feb 10, 2016 3:19 am
Hi Eric,
thanks for the quick reply! Split DNS looks like a better solution than simultaneous DNS.

I just upgraded to beta14 with split DNS and so far it's working very well. I'll talk to our systems guys and see if we can make that the standard.

Thanks again,
-Damon

Eric

User avatar
Posts: 1146
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Wed Feb 10, 2016 1:08 pm
Hi Damon,

Thanks for the feedback! Please let us know if you encounter any issues at all.

Regards,
Eric
Eric Thorpe
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

Eric

User avatar
Posts: 1146
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Thu Feb 11, 2016 10:43 am
Hi mikel,

Thanks for the feedback, we will certainly investigate this type of setup.

"Automatic" decides between Full DNS and Split DNS. If all traffic is to be routed over the VPN tunnel, Full is selected, otherwise Split is in the case a Domain is set or pushed.

Full DNS is essentially our own implementation of the new "block-outside-dns" in OpenVPN 2.3.9 and has been present in Viscosity for years. Until now it was a global setting ("Apply DNS Simultaneously"), now it is set per connection in 1.6.0 and is using more "plain English" terminology.

The problem with the block-outside-dns command is while it will prevent a DNS Leak over a normal adapter, it does not stop the chance of another DNS server other than your VPN DNS being used, the request is just sent via the VPN. While for most people this is enough and DNS leaks are prevented from going outside the VPN tunnel, Full DNS in Viscosity will simply remove any other non-VPN DNS servers from being used. Judging your comment about your internal DNS server resolving externals, it seems like the former is what you want, simply to prevent any DNS lookups going outside the VPN Tunnel regardless of what DNS Server is used, is this correct?

In Split mode, Viscosity acts as the DNS Server, this is why 127.0.0.1 is set as the DNS server for all adapters. Viscosity can then decide what servers to use based on domains set and suffixes that Windows appends. The DNS servers pushed by the server and set by the client are being used, they just no longer appear on the interfaces, Viscosity has swallowed them up internally.

As a test, with Split DNS set, are you able to go to command prompt and do a DNS lookup on a known host and send us the result? We're interested to see if the local DNS Server can be talked to at all. E.g. nslookup http://www.sparklabs.com 127.0.0.1

With all this in mind, are you able to confirm your use case here? At a glance, it would appear you are not pushing or have not set redirect-gateway or any other form of default route. As Split is being selected, it seems like you have a split tunnel but you want all DNS Lookups to go to the servers set by the VPN. Is this correct?

Or, should this be a full tunnel where all traffic goes through the VPN connection?

We will certainly do some testing with block-outside-dns set ourself to see how it effects Viscosity, but rest assured Viscosity is not ignoring the command. This could be the reason that Split DNS is not working for you at all.

Regards,
Eric
Hi Guys,

I've been playing around with the 1.6.0 betas (14, specifically). Our OpenVPN server is pushing out the "block-outside-dns" directive, which works fine when using OpenVPN GUI to connect- this directive is new since OpenVPN 2.3.9.

Our ovpn configs don't include the "block-outside-dns" directive- rather, this gets pushed out from the server.

Here's what I'm seeing with 1.6.0 beta 14:

With DNS Mode set to "Automatic": Viscosity appears to ignore the "block-outside-dns" directive and does not apply the DNS servers that are pushed out to the client. This is not what we would consider expected behavior, given that the server is pushing the directive out. We would prefer it if we did not have to have end-users make changes to the settings within Viscosity at all.

With DNS Mode set to "Full DNS": Viscosity uses the DNS servers that are pushed out to the client. While this works, it would require us to have users make a change to the default configuration of Viscosity on Windows. Fortunately, our internal DNS also resolves external hosts, so DNS resolution isn't an issue here.

With DNS Mode set to "Split DNS": Viscosity appears to ignore the "block-outside-dns" directive and does not apply the DNS servers that are pushed out to the client. Also, due to there being effectively no DNS (due to the ignored directive and no applied DNS servers), the DNS server for the interfaces (on both the TAP interface and the wireless interface) ends up set to 127.0.0.1. When we disconnect from VPN, this resets back to the proper DNS on the wireless interface. No hosts can be resolved in this configuration.

With DNS Mode set to "Disabled": Same results as if things were set to "Full DNS".

Ideally, it would be pretty great if "Automatic" respected the "block-outside-dns" directive and used the DNS that was pushed out from the server.

Please let me know if you have any questions or need more information. Thanks!
Edit - Our apologies Mikel, we accidental deleted your post trying to remove a double post. I have pulled the post you made from our cache and quoted it above.
Eric Thorpe
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

mikel

Posts: 2
Joined: Thu Feb 11, 2016 2:09 am

Post by mikel » Wed Feb 17, 2016 2:27 am
Sorry I hadn't responded sooner- I didn't see any notification of a response, woops. :)

It looks like, at first glance, the newest beta (b16) -appears- to have fixed the issue we had been having. We still have some testing to do on our end, of course, but things are looking good at the moment.

Eric

User avatar
Posts: 1146
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Wed Feb 17, 2016 3:35 am
That's great to hear, thanks for the feedback Mikel!

Regards,
Eric
Eric Thorpe
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

mikel

Posts: 2
Joined: Thu Feb 11, 2016 2:09 am

Post by mikel » Wed Feb 17, 2016 4:24 am
Out of curiosity, is there a changelog for the beta versions? We're just the curious types here. :)

James

User avatar
Posts: 2312
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Wed Feb 17, 2016 9:44 am
Hi mikel,

Release Notes for beta versions are displayed when auto-updating, however I'm afraid these notes cover changes since the last release version. Changes between beta versions are not included in the release notes.

Viscosity 1.6 has now been fully released, and the release notes can be found at:
https://www.sparklabs.com/viscosity/rel ... s/windows/

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
9 posts Page 1 of 1