OpenVPN DNS domain setting not working

Got a problem with Viscosity or need help? Ask here!

AMomchilov

Posts: 4
Joined: Mon Dec 21, 2020 6:24 am

Post by AMomchilov » Mon Dec 21, 2020 6:41 am
Hi there. I'm having some difficulty getting split DNS to work with domains. Could you please help me out?

I can successfully connect myself to my remote router, which runs an OpenVPN server that's available to the internet. It's also a DNS server for the domain etob. When connected, it's reachable at 192.168.1.1, subnet mask is 255.255.0.0. I can reach all of its devices, e.g.Foo, by their hard-coded IP addresses, but I can't reach them by their hostnames, e.g. Foo.etob

To try to remedy this, under "DNS Settings:", I set:
  • Mode: Split DNS (Use VPN DNS for VPN Domains only)
  • Servers: 192.168.1.1 (the remote router)
  • Domains: etob
  • Ignore DNS settings sent by VPN server: ☑️
Despite this, when I try nslookup foo.local, I get:
Code: Select all
$ nslookup Foo.etob
Server:		10.0.0.1
Address:	10.0.0.1#53

** server can't find Foo.etob: NXDOMAIN
FYI my local LAN router has IP 10.0.0.1, subnet mask is 255.255.0.0, domain local. So query is tying to be resolved against my regular router, and obviously fails.

If I manually specific the target DNS server, then it works. However, I expected it to be picked up automatically given the .etob suffix.
Code: Select all
nslookup Foo.etob 192.168.1.1

Server:         192.168.1.1
Address:        192.168.1.1#53

Name:   Foo.etob
Address: 192.168.1.31
Indeed, 192.168.1.31 is the correct IP address for Foo.etob. Why isn't the DNS domain being picked up correctly?

For more info, here's the output scutil --dns, which changes depending on whether or not I'm connected (which makes me think that it should work, and I don't understand why it doesn't)

Here is its output before connection:
Code: Select all
DNS configuration

resolver #1
  search domain[0] : local
  nameserver[0] : 10.0.0.1
  if_index : 4 (en0)
  flags    : Request A records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

resolver #2
  domain   : local
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300000

resolver #3
  domain   : 254.169.in-addr.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300200

resolver #4
  domain   : 8.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300400

resolver #5
  domain   : 9.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300600

resolver #6
  domain   : a.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300800

resolver #7
  domain   : b.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 301000

DNS configuration (for scoped queries)

resolver #1
  search domain[0] : local
  nameserver[0] : 10.0.0.1
  if_index : 4 (en0)
  flags    : Scoped, Request A records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

resolver #2
  search domain[0] : local
  nameserver[0] : 8.8.8.8
  nameserver[1] : 8.8.4.4
  if_index : 5 (en1)
  flags    : Scoped, Request A records
  reach    : 0x00000002 (Reachable)
And after:
Code: Select all
DNS configuration

resolver #1
  search domain[0] : etob
  search domain[1] : local
  nameserver[0] : 10.0.0.1
  if_index : 4 (en0)
  flags    : Request A records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

resolver #2
  domain   : etob
  nameserver[0] : 192.168.1.1
  if_index : 14 (vtap0)
  flags    : Supplemental, Request A records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)
  order    : 101600

resolver #3
  domain   : local
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300000

resolver #4
  domain   : 254.169.in-addr.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300200

resolver #5
  domain   : 8.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300400

resolver #6
  domain   : 9.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300600

resolver #7
  domain   : a.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300800

resolver #8
  domain   : b.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 301000

DNS configuration (for scoped queries)

resolver #1
  search domain[0] : local
  nameserver[0] : 10.0.0.1
  if_index : 4 (en0)
  flags    : Scoped, Request A records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

resolver #2
  search domain[0] : local
  nameserver[0] : 8.8.8.8
  nameserver[1] : 8.8.4.4
  if_index : 5 (en1)
  flags    : Scoped, Request A records
  reach    : 0x00000002 (Reachable)

resolver #3
  search domain[0] : etob
  nameserver[0] : 192.168.1.1
  if_index : 14 (vtap0)
  flags    : Scoped, Request A records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)
  

James

User avatar
Posts: 2312
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Mon Dec 21, 2020 12:50 pm
Hi AMomchilov,

I'm afraid legacy Unix tools like nslookup can't be used to test Split DNS. Please see:
https://www.sparklabs.com/support/kb/ar ... unix-users

It should also be noted that .local domains are also special domains reversed for mDNS/Bonjour use, and may not function as normal DNS domains correctly. Apple has more information available at:
https://support.apple.com/en-us/HT207511

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

AMomchilov

Posts: 4
Joined: Mon Dec 21, 2020 6:24 am

Post by AMomchilov » Fri Dec 25, 2020 1:10 pm
Mon Dec 21, 2020 12:50 pmJames wrote:
I'm afraid legacy Unix tools like nslookup can't be used to test Split DNS.
Oh interesting, I didn't know that was the case. I did happen to also follow those instructions before, but I forgot to mention it. I ran dscacheutil -q host -a name foo.etob and dscacheutil -q host -a name etob, and both return an empty result. Is that the correct syntax?
Mon Dec 21, 2020 12:50 pmJames wrote:
It should also be noted that .local domains are also special domains reversed for mDNS/Bonjour use, and may not function as normal DNS domains correctly. Apple has more information available at:
https://support.apple.com/en-us/HT207511
Interesting, I didn't know that! I'll go change that right now.

Thanks for taking a look at this, James. Merry Christmas!

James

User avatar
Posts: 2312
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Mon Jan 04, 2021 3:46 pm
Code: Select all
Is that the correct syntax?
Yes, it should be.

Often it may be worth checking the logs of the DNS server itself as well: depending on how the server is configured it may not not have a record that exactly matches what is being received (e.g. FQDN vs just the subdomain).

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

AMomchilov

Posts: 4
Joined: Mon Dec 21, 2020 6:24 am

Post by AMomchilov » Sat May 15, 2021 1:00 am
Turns out the issue was with dnscacheutil. It seems totally inoperative on my version (macOS 11.2.3 Big Sur).
Code: Select all
$ sudo dscacheutil -cachedump
Unable to get details from the cache node
I tried using mDNSResponder to dump its data (using the instructions on https://stackoverflow.com/a/38882447/3141234):
Code: Select all
$ log stream --predicate 'process == "mDNSResponder"' --info
...
Responder: [com.apple.mDNSResponder:Default] Sending SIGINFO to mDNSResponder daemon is deprecated. To trigger state dump, please use 'dns-sd -O', enter 'dns-sd -h' for more information
Fair enough. Going to run dns-sd is a dead end, also:
Code: Select all
$ sudo dns-sd -O
XPC service returns error, description: State dump is only enabled in internal builds
Do you know of any other ways to investigate the current DNS configuration of a mac?

James

User avatar
Posts: 2312
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Mon May 17, 2021 4:01 pm
"scutil --dns" will give an accurate picture of what DNS servers will be used and when. There typically isn't any reason to go beyond this.

If for some reason you want to check that the output is accurate, I recommend using Wireshark with a "dns" filter. It'll let you see what requests are going to which DNS servers, the replies, and what they contain.
https://www.wireshark.org

If you're 100% sure your Split DNS setup is correct, you're not using any reserved domains, and you're not using a web browser configured with its own DNS settings (such as forced DoH with a custom address), then the problem is going to lie with the DNS server being used.

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

AMomchilov

Posts: 4
Joined: Mon Dec 21, 2020 6:24 am

Post by AMomchilov » Mon May 17, 2021 11:08 pm
Idk what I did since the last time I looked at this, but I think it resolved and my VPN dns is being routed perfectly!

Cheers!
7 posts Page 1 of 1