VPN Search Domain being added to resolver #1

Got a problem with Viscosity or need help? Ask here!

ramarnath

Posts: 2
Joined: Wed Jun 26, 2019 1:35 am

Post by ramarnath » Wed Jun 26, 2019 1:55 am
This is a strange one, and it seems to be impacting golang based programs (compiled with CGO). So when I checked the dns settings I see that the vpn private domain has been added to the main resolver, which does not contain the VPN dns.

How does one set it up so my.vpn search domain is only using the VPN dns? My call to consul fails:
Code: Select all
consul monitor -log-level=debug
Error starting monitor: Get http://consul.service.my.vpn:8500/v1/agent/monitor?loglevel=debug: dial tcp: lookup consul.service.my.vpn on 10.xx.10:53: no such host
scutil --dns :
Code: Select all
DNS configuration

resolver #1
  search domain[0] : my.vpn
  search domain[1] : my.home
  nameserver[0] : 10.xx.10
  nameserver[1] : 10.xx.2
  if_index : 23 (en8)
  flags    : Request A records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

resolver #2
  domain   : my.vpn
  nameserver[0] : 172.xx.5
  nameserver[1] : 172.xx.6
  nameserver[2] : 172.xx.5
  flags    : Supplemental, Request A records
  reach    : 0x00000002 (Reachable)
  order    : 101200

DNS configuration (for scoped queries)

resolver #1
  search domain[0] : my.home
  nameserver[0] : 10.xx.10
  nameserver[1] : 10.xx.2
  if_index : 23 (en8)
  flags    : Scoped, Request A records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

resolver #2
  search domain[0] : my.vpn
  nameserver[0] : 10.xx.10
  nameserver[1] : 10.xx.2
  if_index : 9 (en0)
  flags    : Scoped, Request A records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

resolver #3
  search domain[0] : my.vpn
  nameserver[0] : 172.xx.5
  nameserver[1] : 172.xx.6
  nameserver[2] : 172.xx.5
  if_index : 20 (utun10)
  flags    : Scoped, Request A records
  reach    : 0x00000002 (Reachable)

James

User avatar
Posts: 2312
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Thu Jun 27, 2019 12:45 pm
Hi ramarnath,

There is something odd with your setup, basically the "DNS configuration (for scoped queries)" is the section to pay attention too: it would seem to imply that "my.vpn" is set as a search domain on the "en0" adapter on your computer. This is usually the Wi-Fi interface on Macs without an Ethernet port, or the Ethernet interface with Macs that have an inbuilt ethernet port. Go to the Apple Menu->System Preferences->Select the Interface->Advanced->DNS and remove the Search Domain from the list.

If you haven't added this domain yourself, you may have used a different OpenVPN client in the past. It's not uncommon for many of the "less advanced" OpenVPN clients out there to alter the network settings on the real network interfaces of your computer in an effort to set DNS etc. Viscosity does not do this.

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

ramarnath

Posts: 2
Joined: Wed Jun 26, 2019 1:35 am

Post by ramarnath » Tue Jul 02, 2019 2:49 am
There are two adapters connected, one is the ethernet port on the thunderbolt display, and the wifi.

One of the first things I checked, was if this was set in the system config, but it is not set for settings. I dont have any other OpenVPN clients running other than Viscosity.

The smoking gun seems to be that these dns settings disappear when I disconnect from Viscosity.

ikappas

Posts: 7
Joined: Wed Mar 07, 2018 7:43 am

Post by ikappas » Thu Feb 18, 2021 10:24 pm
@James

I have run into the same situation while connecting to a VPN where the VPN defined search domains are pushed to resolver #1 in addition to the ones from DHCP along with an additional resolver entry #2 which points the domain entry to the VPN DNS Server.

So scutil --dns shows:
Code: Select all
DNS configuration

resolver #1
  search domain[0] : domain.vpn (actual domain hidden) <------ This entry should probably not be here
  search domain[1] : domain.dhcp (actual domain hidden)
  nameserver[0] : 192.168.1.1
  nameserver[1] : 192.168.1.2
  if_index : 13 (en9)
  flags    : Request A records
  reach    : 0x00000002 (Reachable)

resolver #2
  domain   : domain.vpn (actual domain hidden)
  nameserver[0] : 10.0.0.1
  flags    : Supplemental, Request A records
  reach    : 0x00000002 (Reachable)
  order    : 102400

...

DNS configuration (for scoped queries)

resolver #1
  search domain[0] : domain.dhcp
  nameserver[0] : 192.168.1.1
  nameserver[1] : 192.168.1.2
  if_index : 13 (en9)
  flags    : Scoped, Request A records
  reach    : 0x00000002 (Reachable)

resolver #2
  search domain[0] : domain.vpn
  nameserver[0] : 10.0.0.1
  if_index : 22 (utun10)
  flags    : Scoped, Request A records
  reach    : 0x00000002 (Reachable)
This results in the dns query being routed to resolver #1 instead to resolver #2 where it fails.

The domain.vpn entry in #resolver1 is cleared upon Viscosity disconnect.

I am on a macbook pro 16/ macOS 11.2.1/Viscosity 1.9.2(1565) with wifi off and a CalDigit TS3 thunderbolt dock connected to the lan.

ikappas

Posts: 7
Joined: Wed Mar 07, 2018 7:43 am

Post by ikappas » Fri Feb 19, 2021 8:19 pm
@James

Just installed 1.9.3b1 (1566) and the issue is still there

James

User avatar
Posts: 2312
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Fri Feb 19, 2021 8:28 pm
Hi ikappas,
I have run into the same situation while connecting to a VPN where the VPN defined search domains are pushed to resolver #1 in addition to the ones from DHCP along with an additional resolver entry #2 which points the domain entry to the VPN DNS Server.
This is correct behaviour and not a cause of any Split DNS problems. I'm including a reply below from another thread:
This is normal and expected. The important part to look at for Split DNS is the "DNS configuration (for scoped queries)" section. This is the section that indicates what DNS server will be associated with what domain/s. From your output any subdomains of "my.domain" will use the "192.168.0.2" DNS server.

If you're wondering what the domains listed in the "DNS configuration" section mean, they indicate what suffixes macOS will try if a single label is entered. For example, if you try and resolve simply "exampleserver" (and that fails), macOS will then try "exampleserver.my.domain" (and keep trying any other search domains listed). The default/first resolver will always have all search domains listed (but again, this isn't used for Split DNS).
Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

ikappas

Posts: 7
Joined: Wed Mar 07, 2018 7:43 am

Post by ikappas » Fri Feb 19, 2021 9:18 pm
@ James

Thank you for your swift response.

If that is the case, there is something else going on with DNS resolution as nslookup/dig/route utility resolves the DNS info from the domail.dhcp instead of domain.vpn on a server.domain.vpn query?

Attached is a screenshot with DNS configuration on the connection
Attachments
Screenshot 2021-02-19 at 12.22.26 PM.png
Screenshot 2021-02-19 at 12.22.26 PM.png (41.45 KiB) Viewed 8016 times

ikappas

Posts: 7
Joined: Wed Mar 07, 2018 7:43 am

Post by ikappas » Fri Feb 19, 2021 9:27 pm
PS:

1. I have tried various combinations with dns cache flushing in between.
2. Also connecting to the servers by IP directly works fine.
3. Don't know if it is relevant, but I have dnsmasq installed via brew with 127.0.0.1 for *.test for dns resolution in /etc/resolver/test file which is displayed in DNS configuration section as:
...
resolver #8
domain : test
nameserver[0] : 127.0.0.1
flags : Request A records, Request AAAA records
reach : 0x00030002 (Reachable,Local Address,Directly Reachable Address)

James

User avatar
Posts: 2312
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Fri Feb 19, 2021 9:46 pm
If that is the case, there is something else going on with DNS resolution as nslookup/dig/route utility resolves the DNS info from the domail.dhcp instead of domain.vpn on a server.domain.vpn query?
Please see the following regarding the use of nslookup, dig, and host:
https://www.sparklabs.com/support/kb/ar ... unix-users

Instructions for looking up a domain name can be found at:
https://www.sparklabs.com/support/kb/ar ... omain-name

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

ikappas

Posts: 7
Joined: Wed Mar 07, 2018 7:43 am

Post by ikappas » Fri Feb 19, 2021 9:57 pm
@ James

Thank you for your help.

I was able to resolve the issue as it was a misconfiguration of the IP (10.0.0.1) instead of the VPN IP (10.0.1.0) which happen to be the same h/w router.

Also on MacOS I was unaware that
Code: Select all
nslookup host.domain.vpn 
shows different results than
Code: Select all
dscacheutil -q host -a name host.domain.vpn
10 posts Page 1 of 1