DNS via MacOS settings vs Viscosity DNS

Got a problem with Viscosity or need help? Ask here!

Ickertod

Posts: 6
Joined: Sun Dec 10, 2017 10:29 am

Post by Ickertod » Sun Dec 10, 2017 5:09 pm
Hello,

I subscribe to a VPN service that has a server which allows access to .onion websites. The only thing needed, other than the address for the server, is the VPN provider's DNS server addresses. Everything works as it's supposed to when I set the DNS at the MacOS system level, but when I do it through Viscosity, the .onion sites don't work.

How I set it up in MacOS:
System Preferences -->
Network -->
Advanced button -->
DNS
Enter 1.2.3.4 and 1.3.5.7

How I set it up in Viscosity
Preferences -->
Select server -->
Click Edit -->
Networking -->
DNS Settings -->
Mode --> automatic (default)
Servers --> 1.2.3.4, 1.3.5.7

In order to get the .onion sites to work I have to set the DNS at the MacOS level and then setting the DNS mode to Disabled in Viscosity. If I try to instead set the DNS settings in Viscosity the .onion sites fail to load. Everything else works correctly, just not the .onion sites. When I run "scutil --dns" in terminal, both cases show the same, correct entries for the DNS server.

I'm not sure why the .onion sites would load if I set the DNS at the MacOS level and not work if I set the DNS within Viscosity. Shouldn't I be getting the same results by setting the DNS in Viscosity vs setting it at the MacOS system level?

Thanks!
Dan

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Mon Dec 11, 2017 11:42 am
Hi Dan,

Can you please post a full copy of your OpenVPN log and "scutil --dns" output while connected? This should help us diagnose what is going on. Please feel free to censor out any sensitive details before posting.
https://www.sparklabs.com/support/kb/ar ... envpn-log/

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

Ickertod

Posts: 6
Joined: Sun Dec 10, 2017 10:29 am

Post by Ickertod » Tue Dec 12, 2017 3:36 pm
I have 4 text files I've made.
1- The Viscosity Log output when DNS is set up in Viscosity
2- The scutil output when DNS is set up in Viscosity
3- The Viscosity Log output when DNS is set up in macOS and disabled in Viscosity
4- The scutil output when DNS is set up in macOS

Is there an email I can send these to, or should I just paste them all into one large reply?

Ickertod

Posts: 6
Joined: Sun Dec 10, 2017 10:29 am

Post by Ickertod » Wed Dec 13, 2017 2:27 am
This is the Viscosity log and scutil log when Viscosity is in charge of administrating the DNS. macOS is set with the default 8.8.8.8 and 8.8.4.4

Viscosity log:
2017-12-11 20:49:22: Viscosity Mac 1.7.5 (1420)
2017-12-11 20:49:22: Viscosity OpenVPN Engine Started
2017-12-11 20:49:22: Running on macOS 10.13.2
2017-12-11 20:49:22: ---------
2017-12-11 20:49:22: State changed to Connecting
2017-12-11 20:49:23: Checking reachability status of connection...
2017-12-11 20:49:23: Connection is reachable. Starting connection attempt.
2017-12-11 20:49:23: OpenVPN 2.4.4 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Sep 27 2017
2017-12-11 20:49:23: library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
2017-12-11 20:49:23: WARNING: --ping should normally be used with --ping-restart or --ping-exit
2017-12-11 20:49:23: NOTE: --fast-io is disabled since we are not using UDP
2017-12-11 20:49:23: TCP/UDP: Preserving recently used remote address: [AF_INET]12.34.56.78:443
2017-12-11 20:49:23: Attempting to establish TCP connection with [AF_INET]12.34.56.78:443 [nonblock]
2017-12-11 20:49:24: TCP connection established with [AF_INET]12.34.56.78:443
2017-12-11 20:49:24: TCP_CLIENT link local: (not bound)
2017-12-11 20:49:24: TCP_CLIENT link remote: [AF_INET]12.34.56.78:443
2017-12-11 20:49:24: State changed to Authenticating
2017-12-11 20:49:24: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2017-12-11 20:49:26: [maskedvpn.com] Peer Connection Initiated with [AF_INET]12.34.56.78:443
2017-12-11 20:49:28: Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
2017-12-11 20:49:28: Opened utun device utun1
2017-12-11 20:49:28: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
2017-12-11 20:49:28: /sbin/ifconfig utun1 delete
2017-12-11 20:49:28: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2017-12-11 20:49:28: /sbin/ifconfig utun1 11.22.33.44 11.22.33.44 netmask 255.255.255.0 mtu 1500 up
2017-12-11 20:49:28: Initialization Sequence Completed
2017-12-11 20:49:29: DNS mode set to Full
2017-12-11 20:49:29: State changed to Connected
2017-12-11 20:51:12: State changed to Disconnecting
2017-12-11 20:51:12: SIGTERM[hard,] received, process exiting
2017-12-11 20:51:13: State changed to Disconnected
2017-12-11 20:52:12: Viscosity Mac 1.7.5 (1420)
2017-12-11 20:52:12: Viscosity OpenVPN Engine Started
2017-12-11 20:52:12: Running on macOS 10.13.2
2017-12-11 20:52:12: ---------
2017-12-11 20:52:12: State changed to Connecting
2017-12-11 20:52:12: Checking reachability status of connection...
2017-12-11 20:52:12: Connection is reachable. Starting connection attempt.
2017-12-11 20:52:12: OpenVPN 2.4.4 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Sep 27 2017
2017-12-11 20:52:12: library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
2017-12-11 20:52:12: WARNING: --ping should normally be used with --ping-restart or --ping-exit
2017-12-11 20:52:12: NOTE: --fast-io is disabled since we are not using UDP
2017-12-11 20:52:12: TCP/UDP: Preserving recently used remote address: [AF_INET]12.34.56.78:443
2017-12-11 20:52:12: Attempting to establish TCP connection with [AF_INET]12.34.56.78:443 [nonblock]
2017-12-11 20:52:13: TCP connection established with [AF_INET]12.34.56.78:443
2017-12-11 20:52:13: TCP_CLIENT link local: (not bound)
2017-12-11 20:52:13: TCP_CLIENT link remote: [AF_INET]12.34.56.78:443
2017-12-11 20:52:14: State changed to Authenticating
2017-12-11 20:52:14: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2017-12-11 20:52:15: [maskedvpn.com] Peer Connection Initiated with [AF_INET]12.34.56.78:443
2017-12-11 20:52:16: Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
2017-12-11 20:52:16: Opened utun device utun1
2017-12-11 20:52:16: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
2017-12-11 20:52:16: /sbin/ifconfig utun1 delete
2017-12-11 20:52:16: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2017-12-11 20:52:16: /sbin/ifconfig utun1 11.22.33.44 11.22.33.44 netmask 255.255.255.0 mtu 1500 up
2017-12-11 20:52:16: Initialization Sequence Completed
2017-12-11 20:52:17: DNS mode set to Full
2017-12-11 20:52:17: State changed to Connected


scutil log
DNS configuration

resolver #1
search domain[0] : utun1.viscosity
nameserver[0] : 2.4.3.5.4
nameserver[1] : 1.3.2.4.3
flags : Request A records
reach : 0x00000002 (Reachable)

resolver #2
domain : local
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300000

resolver #3
domain : utun1.viscosity
nameserver[0] : 2.4.3.5.4
nameserver[1] : 1.3.2.4.3
flags : Supplemental, Request A records
reach : 0x00000002 (Reachable)
order : 100200

resolver #4
domain : 254.169.in-addr.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300200

resolver #5
domain : 8.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300400

resolver #6
domain : 9.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300600

resolver #7
domain : a.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300800

resolver #8
domain : b.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 301000

DNS configuration (for scoped queries)

resolver #1
search domain[0] : utun1.viscosity
nameserver[0] : 2.4.3.5.4
nameserver[1] : 1.3.2.4.3
if_index : 9 (utun1)
flags : Scoped, Request A records
reach : 0x00000002 (Reachable)

resolver #2
nameserver[0] : 8.8.8.8
nameserver[1] : 8.8.4.4
nameserver[2] : <removed for forum posting>
if_index : 5 (en0)
flags : Scoped, Request A records
reach : 0x00000002 (Reachable)

Ickertod

Posts: 6
Joined: Sun Dec 10, 2017 10:29 am

Post by Ickertod » Wed Dec 13, 2017 2:29 am
This is the Viscosity log and scutil log when macOS is in charge of administrating the DNS. The DNS option is disabled in Viscosity

Viscosity Log:
2017-12-11 21:17:42: Viscosity Mac 1.7.5 (1420)
2017-12-11 21:17:42: Viscosity OpenVPN Engine Started
2017-12-11 21:17:42: Running on macOS 10.13.2
2017-12-11 21:17:42: ---------
2017-12-11 21:17:42: State changed to Connecting
2017-12-11 21:17:43: Checking reachability status of connection...
2017-12-11 21:17:43: Connection is reachable. Starting connection attempt.
2017-12-11 21:17:43: OpenVPN 2.4.4 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Sep 27 2017
2017-12-11 21:17:43: library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
2017-12-11 21:17:43: WARNING: --ping should normally be used with --ping-restart or --ping-exit
2017-12-11 21:17:43: NOTE: --fast-io is disabled since we are not using UDP
2017-12-11 21:17:43: TCP/UDP: Preserving recently used remote address: [AF_INET]12.34.56.78:443
2017-12-11 21:17:43: Attempting to establish TCP connection with [AF_INET]12.34.56.78:443 [nonblock]
2017-12-11 21:17:44: TCP connection established with [AF_INET]12.34.56.78:443
2017-12-11 21:17:44: TCP_CLIENT link local: (not bound)
2017-12-11 21:17:44: TCP_CLIENT link remote: [AF_INET]12.34.56.78:443
2017-12-11 21:17:44: State changed to Authenticating
2017-12-11 21:17:44: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2017-12-11 21:17:45: [maskedvpn.com] Peer Connection Initiated with [AF_INET]12.34.56.78:443
2017-12-11 21:17:47: Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
2017-12-11 21:17:47: Opened utun device utun1
2017-12-11 21:17:47: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
2017-12-11 21:17:47: /sbin/ifconfig utun1 delete
2017-12-11 21:17:47: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2017-12-11 21:17:47: /sbin/ifconfig utun1 11.22.33.44 11.22.33.44 netmask 255.255.255.0 mtu 1500 up
2017-12-11 21:17:47: Initialization Sequence Completed
2017-12-11 21:17:47: DNS mode set to Off
2017-12-11 21:17:47: State changed to Connected


scutil log
DNS configuration

resolver #1
nameserver[0] : 2.4.3.5.4
nameserver[1] : 1.3.2.4.3
flags : Request A records
reach : 0x00000002 (Reachable)

resolver #2
domain : local
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300000

resolver #3
domain : 254.169.in-addr.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300200

resolver #4
domain : 8.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300400

resolver #5
domain : 9.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300600

resolver #6
domain : a.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300800

resolver #7
domain : b.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 301000

DNS configuration (for scoped queries)

resolver #1
nameserver[0] : 2.4.3.5.4
nameserver[1] : 1.3.2.4.3
if_index : 5 (en0)
flags : Scoped, Request A records
reach : 0x00000002 (Reachable)

Ickertod

Posts: 6
Joined: Sun Dec 10, 2017 10:29 am

Post by Ickertod » Wed Dec 13, 2017 3:40 am
Also to mention a few other tests I've done that all had the same problem:
- in Viscosity set the DNS and set the DNS Settings to "Full DNS" (fails to load .onion)
- in Viscosity set the DNS, set DNS Settings to "Full DNS", checked the checkbox to ignore the DNS Settings sent by the VPN Server (fails to load onion)
- Having the DNS set in both, the macOS and Viscosity level (fails to load .onion)

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Thu Dec 14, 2017 5:50 pm
Hi Ickertod,

Thanks for posting your logs.

How do you get on if you add "onion" to the "Domains" list under the Networking tab for your connection in Viscosity?

Here is my running theory as to what is happening, but please note it's only speculation at this stage (to confirm it will be necessary to fire up something like Wireshark and look at the actual DNS request): to allow for DNS network interface ordering Viscosity sets an interface domain. If none is specified it will use a generic one (e.g. utun0.viscosity). This should be ignored for actual lookups, however in this case macOS doesn't see "x.onion" as a real domain (as it's not a known TLD), and so it may be thinking it's a subdomain and trying to resolve it using the interface domain (i.e. x.onion.utun0.viscosity).

It sounds like it's not trying x.onion though, either initially or as a fallback, which makes me think the DNS server may be responding to "x.onion.utun0.viscosity" in some fashion. I imagine it's working when you manually set the DNS servers as there is no domain being set: if you set one you'll probably see the same behaviour. We can't have Viscosity not set a domain, as from past experience this will break DNS interface ordering for many setups. Adding "onion" as a search domain *might* offer a solution, otherwise it's probably best handled on the DNS server's end.

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

Ickertod

Posts: 6
Joined: Sun Dec 10, 2017 10:29 am

Post by Ickertod » Fri Dec 15, 2017 11:34 am
Hello James,

It looks like your theory was spot on - adding the "onion" to the Domains list fixed the problem!

Thank you so much for your help!

Dan
8 posts Page 1 of 1