Split DNS doesn't work as expected

Got a problem with Viscosity or need help? Ask here!

shir

Posts: 4
Joined: Thu Feb 18, 2021 6:59 pm

Post by shir » Thu Feb 18, 2021 7:30 pm
I'm trying to use a Split DNS feature to resolve hosts in the home network to which I connect through OpenVPN. For VPN connection I made the next settings:
  • Mode: Split DNS
  • Servers: 192.168.0.2 (It's a DNS server in my home network and it's accessible)
  • Domains: my.domain (Actual name is in "me" root namespace)
  • Ignore DNS settings sent by VPN server is checked (just in case, I don't see any difference applying this setting)
But when I connected "scutil --dns" command shows next:
Code: Select all
❯ scutil --dns
DNS configuration

resolver #1
  search domain[0] : my.domain
  nameserver[0] : 192.168.1.1
  if_index : 6 (en0)
  flags    : Request A records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

resolver #2
  domain   : local
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300000

resolver #3
  domain   : my.domain
  nameserver[0] : 192.168.0.2
  flags    : Supplemental, Request A records
  reach    : 0x00000002 (Reachable)
  order    : 103400

resolver #4
  domain   : 254.169.in-addr.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300200

resolver #5
  domain   : 8.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300400

resolver #6
  domain   : 9.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300600

resolver #7
  domain   : a.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300800

resolver #8
  domain   : b.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 301000

DNS configuration (for scoped queries)

resolver #1
  nameserver[0] : 192.168.1.1
  if_index : 6 (en0)
  flags    : Scoped, Request A records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

resolver #2
  search domain[0] : my.domain
  nameserver[0] : 192.168.0.2
  if_index : 28 (utun10)
  flags    : Scoped, Request A records
  reach    : 0x00000002 (Reachable)
Notice the first item. It was added after connection and it's applied for my domain but It uses the nameserver in my current network (192.168.1.1). This item was not there before the VPN connection. There are other items that are for my domain and use the correct nameserver (192.168.0.2) but looks like they are not used. I've tried to use the same configuration in another network with the same result - the first item for my internal domain uses the current network nameserver instead of the nameserver in my home network. And this item appear only after I made the VPN connection.

When I try to use "dscacheutil" to resolve host in my home network it resolves it to an external IP address instead of internal:
Code: Select all
❯ dscacheutil -q host -a name host.my.domain
name: <ddns_host_for_my_network>
alias: host.my.domain
ip_address: <external_ip_address>

James

User avatar
Posts: 2312
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Fri Feb 19, 2021 8:23 pm
Hi shir,
Notice the first item. It was added after connection and it's applied for my domain but It uses the nameserver in my current network (192.168.1.1).
This is normal and expected. The important part to look at for Split DNS is the "DNS configuration (for scoped queries)" section. This is the section that indicates what DNS server will be associated with what domain/s. From your output any subdomains of "my.domain" will use the "192.168.0.2" DNS server.

If you're wondering what the domains listed in the "DNS configuration" section mean, they indicate what suffixes macOS will try if a single label is entered. For example, if you try and resolve simply "exampleserver" (and that fails), macOS will then try "exampleserver.my.domain" (and keep trying any other search domains listed). The default/first resolver will always have all search domains listed (but again, this isn't used for Split DNS).
When I try to use "dscacheutil" to resolve host in my home network it resolves it to an external IP address instead of internal:
I recommend you try performing a lookup directly against your server and check whether it returns the expected result through the VPN connection. It may not be responding at all (and so macOS is falling back). Many DNS servers are also configured to return different results depending on whether it considers the DNS lookup internal or external (and it may consider your VPN network's IP range external).

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

shir

Posts: 4
Joined: Thu Feb 18, 2021 6:59 pm

Post by shir » Fri Feb 19, 2021 10:57 pm
Thanks for the explanation. After your explanation, I figured out that DNS resolve on OS X 11 works very weird.

If I reset DNS service by killing mDNSResponde and try to ping my home network host by domain name (not depending on if I connected directly to my home network or through VPN) I see that it pinged by internal IP address:
Code: Select all
❯ sudo killall -HUP mDNSResponder

❯ ping host.my.domain
PING host.my.domain (192.168.0.46): 56 data bytes
64 bytes from 192.168.0.46: icmp_seq=0 ttl=63 time=76.067 ms
64 bytes from 192.168.0.46: icmp_seq=1 ttl=63 time=214.577 ms
And I can open this host in safari and it uses a local IP-address (I can see it in developer tools).

But if I check the host address with "dscacheutil" utility it returns an external IP address and after that ping is done by the external IP address too.
Code: Select all
❯ dscacheutil -q host -a name host.my.domain
name: <dynamic-dns-host>
alias: host.my.domain
ip_address: <external-ip>

❯ ping host.my.domain
PING <dynamic-dns-host> (<external-ip>): 56 data bytes
64 bytes from <external-ip>: icmp_seq=0 ttl=64 time=1.702 ms
64 bytes from <external-ip>: icmp_seq=1 ttl=64 time=8.924 ms
64 bytes from <external-ip>: icmp_seq=2 ttl=64 time=8.690 ms
And some time later (about a couple of minutes) Safari opens host by external IP address too.

I repeat that this behavior is not depending on if I connected to the home network directly or through a VPN. So looks like there is nothing related to the Viscosity client. Just added this post for anyone who will meet the same issue.

shir

Posts: 4
Joined: Thu Feb 18, 2021 6:59 pm

Post by shir » Fri Feb 19, 2021 11:17 pm
I found out that this is a known bug on Mac OS Big Sur. There are plenty of posts with similar problem:

shir

Posts: 4
Joined: Thu Feb 18, 2021 6:59 pm

Post by shir » Tue Mar 02, 2021 9:18 pm
To whoever interested in this.

It's not a bug, it's a feature :mrgreen:

The issue is that in Big Sur (and iOS 14) apple introduced support for DNS over HTTP (DoH) and DNS over TLS (DoT) and some applications (specially developed by Apple like Safari) use DoH or DoT to resolve domain names. This ignores the usual DNS resolving configuration and uses only the DNS servers defined somewhere internal. If you still want to use a custom domain resolver you should add a special profile with DNS resolver configuration for DoH or DoT.

If you still want to use your own DNS server to resolve hosts in your internal network just use a domain that could not be resolved outside your network. For example, I use "my.domain" as external and "l.my.domain" for internal hosts, and "l.my.domain" could be resolved only via the internal DNS server. In this case, everything works as expected.
5 posts Page 1 of 1