App Support.

We're here to help.



Configuring DNS and WINS settings

Viscosity allows you to easily specify DNS and WINS servers, along with corresponding DNS domains, to use while connected to your VPN connection. Once you are connected these settings will automatically override your normal DNS settings. Once you disconnect your normal settings will be automatically restored.

What are DNS and WINS?

The Domain Name System (DNS) allows your computer to automatically convert human-readable domains to computer-readable IP addresses. For example, when you type www.sparklabs.com.au into your web browser your computer will automatically ask your DNS server to convert this to an IP address it can use. Your DNS server should return the IP address of our server, and then your computer will contact the server using the IP address. Without a DNS server, or if the DNS server can't be reached, your may be unable to browse the web or access other computers.

The Windows Internet Name Service (WINS) is similar to DNS, however it is typically used to allow you to connect to Windows based computers, servers, and some printers using the computer's name (instead of having to use it's IP address). If you can't access Windows computers on the remote VPN network by name, but you can by IP address, then you'll probably need to specify a WINS server.

DNS Security

If you use Viscosity to ensure your security privacy on untrusted networks you should make sure you have specified a DNS server to use while connected. If you do not have a VPN server specified your computer may try and automatically use a DNS server on the network you are connected to, rather than access one through the VPN connection. This means an attacker could potentially identify what websites/servers you are contacting, or redirect you to fake websites, even if they can't view the actual network traffic. This is known as DNS leakage.

If you'd like to specify a DNS server to use, but don't wish to setup a DNS server yourself, you may like to use OpenDNS's or Google's public DNS servers:

OpenDNS Public DNS Servers

  • 208.67.222.222
  • 208.67.220.220

Google Public DNS Servers

  • 8.8.8.8
  • 8.8.4.4

In most cases your VPN provider will be remotely setting a DNS server for Viscosity to use. However if you are unsure, or are connecting to a OpenVPN server you have configured yourself, you should be aware of this issue.

Specifying DNS Servers In Viscosity

Viscosity allows you to specify DNS servers for each connection along with (optionally) corresponding DNS domains. This can be done easily like so:

  1. Open Viscosity's Preferences window
  2. Select your connection from the list and click the Edit button
  3. Click on the Networking tab



  4. Select the DNS mode to use. Automatic is the recommended mode. Please see the section below for more information about the available DNS modes.
  5. Enter your DNS server/s into the "DNS Servers" field. If you have more than one DNS server, separate each server using a space (" ") or a comma (",").
  6. Enter your DNS domains to use into the "Domains" field, or leave this field blank if you don't have any. Separate multiple domains with a space or comma.
  7. Click Save

Specifying WINS Servers In Viscosity

Viscosity also supports WINS servers. These must be set using the relevant OpenVPN command, rather than through the user interface, like so:

  1. Open Viscosity's Preferences window
  2. Select your connection from the list and click the Edit button
  3. Click on the Advanced tab



  4. Enter the command "dhcp-option WINS x.x.x.x" (without quotes) on a new line in the configuration command section. Replace x.x.x.x with the IP address of your WINS server.
  5. If you have multiple WINS servers, repeat the above step for each server
  6. Click Save

Pushing DNS/WINS Settings From The Server

It's also possible to inform Viscosity of DNS servers, WINS server, and Domains to use from the server's end by "pushing" out the relevant "dhcp-option" commands. This has the advantage of allowing the VPN administrator to change these settings (if required) without having to manually update them in each copy of Viscosity.

Push DNS Servers

To push out DNS settings from the server, the following command can be entered into the OpenVPN configuration file. Replace x.x.x.x with the IP address of the DNS server to use. Multiple push commands can be used to push more than one DNS server.

push "dhcp-option DNS x.x.x.x"

Push DNS Domains

DNS search domains can also be pushed from the server using the following command. Replace example.com with the desired search domain to use. Multiple push commands can be used to push more than one domain.

push "dhcp-option DOMAIN example.com"

Push WINS Servers

WINS servers can be pushed out in a similar fashion to DNS servers. Replace x.x.x.x with the IP address of the WINS server to use. Multiple push commands can be used to push more than one WINS server.

push "dhcp-option WINS x.x.x.x"

DNS Modes

By default Viscosity will make your VPN DNS servers the default for DNS lookups: they will be used to resolve all addresses and override your computer's normal DNS servers. This ensures DNS requests are kept secure by default and don't "leak" outside of your VPN connection.

However there will be instances where this isn't optimal: for example when connecting to a workplace you may also want DNS requests for your office's domain to use the VPN connection's DNS server, while all other requests use your computer's normal DNS servers. This is often called "split-DNS" or "simultaneous-DNS", which Viscosity supports.

Using split-DNS is a simple process: at least one domain must be set for your VPN connection (either set locally or pushed from the VPN server), and Viscosity's support for simultaneous DNS servers must be turned on by ticking the "Apply DNS settings simultaneously" option under Preferences->Advanced.

As of Viscosity 1.6, a new option is available called DNS Mode. This option is accessible by editing your connection and going to the Networking tab. This option replaces the now retired "Apply DNS Simultaneously" option that was previous available via Preferences -> Advanced and effected all connections.

Automatic (Default)

Viscosity will decide which DNS mode to use. This decision is generally made by what traffic is routed over the VPN Tunnel. If all traffic is to be routed over the VPN tunnel, Viscosity will use Full DNS Mode. If only some traffic will be routed over the VPN Tunnel, Viscosity will use Split DNS Mode. This option is suggested for most users and is the default when you create or import a new connection.

Full DNS

Viscosity will setup your Mac or PC so your VPN DNS servers are used for all requests. This option is preferred when all traffic is routed over the VPN Tunnel to ensure consistency of browsing and using applications in this configuration, as well as preventing DNS Leaks when this is required.

Split DNS

Viscosity will setup your Mac or PC so DNS is split. This means that DNS requests are sent to the server which best suits that domain name. For example if your VPN Server pushes a domain of "sparklabs.com", host names ending in this domain, for example, vpn.sparklabs.com, will be resolved by the VPN DNS Server, while all other requests will be resolved by your usual DNS Servers.

Disable

Viscosity will setup your Mac or PC so it does not use the DNS Servers, Domains or WINS Servers pushed by the VPN Server.

Ignore DNS settings sent by VPN Server

This option ignores any DNS Servers, Domains or WINS Servers pushed by the VPN Server to your computer. Only options you define in your configuration will be used. Enabling this option and not defining any DNS Servers will setup your connection equivalent to the Disable DNS Mode.

Checking Which DNS Servers Are Being Used

The following instructions allow you to determine what DNS servers your computer is using. You can follow these instructions while your VPN connection is active to determine what DNS servers are being set (if any) by the remote VPN server, or to check that your DNS servers (and domains) are being correctly set when the VPN connection is activated.

Mac

  1. Open the Terminal application. This can be found at /Applications/Utilities/Terminal.app
  2. Enter the following command into the window that appears, and then press Return or Enter on your keyboard.
    scutil --dns



  3. Your computer's DNS settings should be displayed (you may have to scroll upwards to view the start). In most cases these details will be listed under "resolver #1". The "nameserver[x]" entries are your DNS servers (where x indicates their order), while the "domain" entries are your DNS search domains.
  4. Quit Terminal from the File menu when finished

Windows

  1. Open a command prompt. This can by found by going to Start and searching for cmd
  2. Enter the following command into the window that appears, and then press Enter on your keyboard.
    ipconfig -all



  3. Details for each adapter/interface on your PC are displayed. The DNS Servers field lists the DNS servers available for each adapter. This field lists both IPv4 and IPv6 DNS Servers. If your DNS Servers are listed as ::1 or 127.0.0.1, the Viscosity DNS system may be handling DNS for you (for example, for split DNS). Check the log for more information.

Looking Up Or Testing A Domain Name

The following instructions will allow you to manually lookup the IP address of a domain name. This is a good way to test that your DNS servers and search domain settings (if appropriate) are working correctly:

Mac

  1. Open the Terminal application. This can be found at /Applications/Utilities/Terminal.app
  2. Enter the following command into the window that appears, replacing "www.sparklabs.com" with the domain name you wish to look up. Press Return or Enter on your keyboard.

    dscacheutil -q host -a name www.sparklabs.com

  3. If the domain was able to be resolved you should see the IP address (or addresses) listed. If the output is blank the domain name could not be resolved.
  4. Quit Terminal from the File menu when finished

Windows

  1. Open a command prompt. This can by found by going to Start and searching for cmd
  2. Enter the following command into the window that appears, replacing www.sparklabs.com witht he domain name you wish to look up. Press Enter on your keyboard.

    nslookup www.sparklabs.com

  3. If the domain was able to be resolved you should see the IP address (or addresses) listed, plus the DNS Server which resolved the request. If the domain could not be resolved, you will see an error as to why.

Notes for Linux/Unix Users

Linux/Unix users may be familiar with the resolv.conf file for configuring DNS servers, however this is not used by Mac OS X. Mac OS X instead has a powerful resolver system as part of the System Configuration framework. While a resolv.conf is present, Mac OS X will automatically create a simplified version based upon the resolver system's settings for backwards compatibly with legacy Unix programs.

There are less than a handful of legacy Unix programs on the Mac that don't use Mac OS X's resolver system and instead use the resolv.conf file, namely nslookup, dig, and host. Due to this both the resolv.conf file and these commands won't actually give you an accurate picture of what your Mac is doing.

Modern command line tools like "scutil" and "dscacheutil" (as illustrated in the previous sections) should be used to look up DNS records as Mac OS X sees them.

Apple offers the following warning:

The nslookup command does not use the host name and address resolution or the DNS query routing mechanisms used by other processes running on Mac OS X.  The results of name or address queries printed by nslookup may differ from those found by other processes that use the Mac OS X native name and address resolution mechanisms.  The results of DNS queries may also differ from queries that use the Mac OS X DNS routing library.