Skip to content
Thanks for taking a look at this, James. Merry Christmas!
Often it may be worth checking the logs of the DNS server itself as well: depending on how the server is configured it may not not have a record that exactly matches what is being received (e.g. FQDN vs just the subdomain).
Cheers,
James
OpenVPN DNS domain setting not working
Got a problem with Viscosity or need help? Ask here!
- Posts: 4
- Joined: Mon Dec 21, 2020 6:24 am
Hi there. I'm having some difficulty getting split DNS to work with domains. Could you please help me out?
I can successfully connect myself to my remote router, which runs an OpenVPN server that's available to the internet. It's also a DNS server for the domain etob. When connected, it's reachable at 192.168.1.1, subnet mask is 255.255.0.0. I can reach all of its devices, e.g.Foo, by their hard-coded IP addresses, but I can't reach them by their hostnames, e.g. Foo.etob
To try to remedy this, under "DNS Settings:", I set:
If I manually specific the target DNS server, then it works. However, I expected it to be picked up automatically given the .etob suffix.
For more info, here's the output scutil --dns, which changes depending on whether or not I'm connected (which makes me think that it should work, and I don't understand why it doesn't)
Here is its output before connection:
I can successfully connect myself to my remote router, which runs an OpenVPN server that's available to the internet. It's also a DNS server for the domain etob. When connected, it's reachable at 192.168.1.1, subnet mask is 255.255.0.0. I can reach all of its devices, e.g.Foo, by their hard-coded IP addresses, but I can't reach them by their hostnames, e.g. Foo.etob
To try to remedy this, under "DNS Settings:", I set:
- Mode: Split DNS (Use VPN DNS for VPN Domains only)
- Servers: 192.168.1.1 (the remote router)
- Domains: etob
- Ignore DNS settings sent by VPN server:
Code: Select all
FYI my local LAN router has IP 10.0.0.1, subnet mask is 255.255.0.0, domain local. So query is tying to be resolved against my regular router, and obviously fails.$ nslookup Foo.etob
Server: 10.0.0.1
Address: 10.0.0.1#53
** server can't find Foo.etob: NXDOMAIN
If I manually specific the target DNS server, then it works. However, I expected it to be picked up automatically given the .etob suffix.
Code: Select all
Indeed, 192.168.1.31 is the correct IP address for Foo.etob. Why isn't the DNS domain being picked up correctly?nslookup Foo.etob 192.168.1.1
Server: 192.168.1.1
Address: 192.168.1.1#53
Name: Foo.etob
Address: 192.168.1.31
For more info, here's the output scutil --dns, which changes depending on whether or not I'm connected (which makes me think that it should work, and I don't understand why it doesn't)
Here is its output before connection:
Code: Select all
And after:DNS configuration
resolver #1
search domain[0] : local
nameserver[0] : 10.0.0.1
if_index : 4 (en0)
flags : Request A records
reach : 0x00020002 (Reachable,Directly Reachable Address)
resolver #2
domain : local
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300000
resolver #3
domain : 254.169.in-addr.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300200
resolver #4
domain : 8.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300400
resolver #5
domain : 9.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300600
resolver #6
domain : a.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300800
resolver #7
domain : b.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 301000
DNS configuration (for scoped queries)
resolver #1
search domain[0] : local
nameserver[0] : 10.0.0.1
if_index : 4 (en0)
flags : Scoped, Request A records
reach : 0x00020002 (Reachable,Directly Reachable Address)
resolver #2
search domain[0] : local
nameserver[0] : 8.8.8.8
nameserver[1] : 8.8.4.4
if_index : 5 (en1)
flags : Scoped, Request A records
reach : 0x00000002 (Reachable)
Code: Select all
DNS configuration
resolver #1
search domain[0] : etob
search domain[1] : local
nameserver[0] : 10.0.0.1
if_index : 4 (en0)
flags : Request A records
reach : 0x00020002 (Reachable,Directly Reachable Address)
resolver #2
domain : etob
nameserver[0] : 192.168.1.1
if_index : 14 (vtap0)
flags : Supplemental, Request A records
reach : 0x00020002 (Reachable,Directly Reachable Address)
order : 101600
resolver #3
domain : local
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300000
resolver #4
domain : 254.169.in-addr.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300200
resolver #5
domain : 8.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300400
resolver #6
domain : 9.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300600
resolver #7
domain : a.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300800
resolver #8
domain : b.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 301000
DNS configuration (for scoped queries)
resolver #1
search domain[0] : local
nameserver[0] : 10.0.0.1
if_index : 4 (en0)
flags : Scoped, Request A records
reach : 0x00020002 (Reachable,Directly Reachable Address)
resolver #2
search domain[0] : local
nameserver[0] : 8.8.8.8
nameserver[1] : 8.8.4.4
if_index : 5 (en1)
flags : Scoped, Request A records
reach : 0x00000002 (Reachable)
resolver #3
search domain[0] : etob
nameserver[0] : 192.168.1.1
if_index : 14 (vtap0)
flags : Scoped, Request A records
reach : 0x00020002 (Reachable,Directly Reachable Address)
Hi AMomchilov,
I'm afraid legacy Unix tools like nslookup can't be used to test Split DNS. Please see:
https://www.sparklabs.com/support/kb/ar ... unix-users
It should also be noted that .local domains are also special domains reversed for mDNS/Bonjour use, and may not function as normal DNS domains correctly. Apple has more information available at:
https://support.apple.com/en-us/HT207511
Cheers,
James
I'm afraid legacy Unix tools like nslookup can't be used to test Split DNS. Please see:
https://www.sparklabs.com/support/kb/ar ... unix-users
It should also be noted that .local domains are also special domains reversed for mDNS/Bonjour use, and may not function as normal DNS domains correctly. Apple has more information available at:
https://support.apple.com/en-us/HT207511
Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
- Posts: 4
- Joined: Mon Dec 21, 2020 6:24 am
Mon Dec 21, 2020 12:50 pmJames wrote: I'm afraid legacy Unix tools like nslookup can't be used to test Split DNS.Oh interesting, I didn't know that was the case. I did happen to also follow those instructions before, but I forgot to mention it. I ran dscacheutil -q host -a name foo.etob and dscacheutil -q host -a name etob, and both return an empty result. Is that the correct syntax?
Mon Dec 21, 2020 12:50 pmJames wrote: It should also be noted that .local domains are also special domains reversed for mDNS/Bonjour use, and may not function as normal DNS domains correctly. Apple has more information available at:Interesting, I didn't know that! I'll go change that right now.
https://support.apple.com/en-us/HT207511
Thanks for taking a look at this, James. Merry Christmas!
Code: Select all
Yes, it should be.Is that the correct syntax?
Often it may be worth checking the logs of the DNS server itself as well: depending on how the server is configured it may not not have a record that exactly matches what is being received (e.g. FQDN vs just the subdomain).
Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
- Posts: 4
- Joined: Mon Dec 21, 2020 6:24 am
Turns out the issue was with dnscacheutil. It seems totally inoperative on my version (macOS 11.2.3 Big Sur).
Code: Select all
I tried using mDNSResponder to dump its data (using the instructions on https://stackoverflow.com/a/38882447/3141234):$ sudo dscacheutil -cachedump
Unable to get details from the cache node
Code: Select all
Fair enough. Going to run dns-sd is a dead end, also:$ log stream --predicate 'process == "mDNSResponder"' --info
...
Responder: [com.apple.mDNSResponder:Default] Sending SIGINFO to mDNSResponder daemon is deprecated. To trigger state dump, please use 'dns-sd -O', enter 'dns-sd -h' for more information
Code: Select all
Do you know of any other ways to investigate the current DNS configuration of a mac?$ sudo dns-sd -O
XPC service returns error, description: State dump is only enabled in internal builds
"scutil --dns" will give an accurate picture of what DNS servers will be used and when. There typically isn't any reason to go beyond this.
If for some reason you want to check that the output is accurate, I recommend using Wireshark with a "dns" filter. It'll let you see what requests are going to which DNS servers, the replies, and what they contain.
https://www.wireshark.org
If you're 100% sure your Split DNS setup is correct, you're not using any reserved domains, and you're not using a web browser configured with its own DNS settings (such as forced DoH with a custom address), then the problem is going to lie with the DNS server being used.
Cheers,
James
If for some reason you want to check that the output is accurate, I recommend using Wireshark with a "dns" filter. It'll let you see what requests are going to which DNS servers, the replies, and what they contain.
https://www.wireshark.org
If you're 100% sure your Split DNS setup is correct, you're not using any reserved domains, and you're not using a web browser configured with its own DNS settings (such as forced DoH with a custom address), then the problem is going to lie with the DNS server being used.
Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
- Posts: 4
- Joined: Mon Dec 21, 2020 6:24 am
Idk what I did since the last time I looked at this, but I think it resolved and my VPN dns is being routed perfectly!
Cheers!
Cheers!
7 posts
Page 1 of 1