Skip to content
Split DNS doesn't work as expected
Got a problem with Viscosity or need help? Ask here!
I'm trying to use a Split DNS feature to resolve hosts in the home network to which I connect through OpenVPN. For VPN connection I made the next settings:
When I try to use "dscacheutil" to resolve host in my home network it resolves it to an external IP address instead of internal:
- Mode: Split DNS
- Servers: 192.168.0.2 (It's a DNS server in my home network and it's accessible)
- Domains: my.domain (Actual name is in "me" root namespace)
- Ignore DNS settings sent by VPN server is checked (just in case, I don't see any difference applying this setting)
Code: Select all
Notice the first item. It was added after connection and it's applied for my domain but It uses the nameserver in my current network (192.168.1.1). This item was not there before the VPN connection. There are other items that are for my domain and use the correct nameserver (192.168.0.2) but looks like they are not used. I've tried to use the same configuration in another network with the same result - the first item for my internal domain uses the current network nameserver instead of the nameserver in my home network. And this item appear only after I made the VPN connection.❯ scutil --dns
DNS configuration
resolver #1
search domain[0] : my.domain
nameserver[0] : 192.168.1.1
if_index : 6 (en0)
flags : Request A records
reach : 0x00020002 (Reachable,Directly Reachable Address)
resolver #2
domain : local
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300000
resolver #3
domain : my.domain
nameserver[0] : 192.168.0.2
flags : Supplemental, Request A records
reach : 0x00000002 (Reachable)
order : 103400
resolver #4
domain : 254.169.in-addr.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300200
resolver #5
domain : 8.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300400
resolver #6
domain : 9.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300600
resolver #7
domain : a.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300800
resolver #8
domain : b.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 301000
DNS configuration (for scoped queries)
resolver #1
nameserver[0] : 192.168.1.1
if_index : 6 (en0)
flags : Scoped, Request A records
reach : 0x00020002 (Reachable,Directly Reachable Address)
resolver #2
search domain[0] : my.domain
nameserver[0] : 192.168.0.2
if_index : 28 (utun10)
flags : Scoped, Request A records
reach : 0x00000002 (Reachable)
When I try to use "dscacheutil" to resolve host in my home network it resolves it to an external IP address instead of internal:
Code: Select all
❯ dscacheutil -q host -a name host.my.domain
name: <ddns_host_for_my_network>
alias: host.my.domain
ip_address: <external_ip_address>
Hi shir,
If you're wondering what the domains listed in the "DNS configuration" section mean, they indicate what suffixes macOS will try if a single label is entered. For example, if you try and resolve simply "exampleserver" (and that fails), macOS will then try "exampleserver.my.domain" (and keep trying any other search domains listed). The default/first resolver will always have all search domains listed (but again, this isn't used for Split DNS).
Cheers,
James
Notice the first item. It was added after connection and it's applied for my domain but It uses the nameserver in my current network (192.168.1.1).This is normal and expected. The important part to look at for Split DNS is the "DNS configuration (for scoped queries)" section. This is the section that indicates what DNS server will be associated with what domain/s. From your output any subdomains of "my.domain" will use the "192.168.0.2" DNS server.
If you're wondering what the domains listed in the "DNS configuration" section mean, they indicate what suffixes macOS will try if a single label is entered. For example, if you try and resolve simply "exampleserver" (and that fails), macOS will then try "exampleserver.my.domain" (and keep trying any other search domains listed). The default/first resolver will always have all search domains listed (but again, this isn't used for Split DNS).
When I try to use "dscacheutil" to resolve host in my home network it resolves it to an external IP address instead of internal:I recommend you try performing a lookup directly against your server and check whether it returns the expected result through the VPN connection. It may not be responding at all (and so macOS is falling back). Many DNS servers are also configured to return different results depending on whether it considers the DNS lookup internal or external (and it may consider your VPN network's IP range external).
Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Thanks for the explanation. After your explanation, I figured out that DNS resolve on OS X 11 works very weird.
If I reset DNS service by killing mDNSResponde and try to ping my home network host by domain name (not depending on if I connected directly to my home network or through VPN) I see that it pinged by internal IP address:
But if I check the host address with "dscacheutil" utility it returns an external IP address and after that ping is done by the external IP address too.
I repeat that this behavior is not depending on if I connected to the home network directly or through a VPN. So looks like there is nothing related to the Viscosity client. Just added this post for anyone who will meet the same issue.
If I reset DNS service by killing mDNSResponde and try to ping my home network host by domain name (not depending on if I connected directly to my home network or through VPN) I see that it pinged by internal IP address:
Code: Select all
And I can open this host in safari and it uses a local IP-address (I can see it in developer tools).❯ sudo killall -HUP mDNSResponder
❯ ping host.my.domain
PING host.my.domain (192.168.0.46): 56 data bytes
64 bytes from 192.168.0.46: icmp_seq=0 ttl=63 time=76.067 ms
64 bytes from 192.168.0.46: icmp_seq=1 ttl=63 time=214.577 ms
But if I check the host address with "dscacheutil" utility it returns an external IP address and after that ping is done by the external IP address too.
Code: Select all
And some time later (about a couple of minutes) Safari opens host by external IP address too.❯ dscacheutil -q host -a name host.my.domain
name: <dynamic-dns-host>
alias: host.my.domain
ip_address: <external-ip>
❯ ping host.my.domain
PING <dynamic-dns-host> (<external-ip>): 56 data bytes
64 bytes from <external-ip>: icmp_seq=0 ttl=64 time=1.702 ms
64 bytes from <external-ip>: icmp_seq=1 ttl=64 time=8.924 ms
64 bytes from <external-ip>: icmp_seq=2 ttl=64 time=8.690 ms
I repeat that this behavior is not depending on if I connected to the home network directly or through a VPN. So looks like there is nothing related to the Viscosity client. Just added this post for anyone who will meet the same issue.
I found out that this is a known bug on Mac OS Big Sur. There are plenty of posts with similar problem:
To whoever interested in this.
It's not a bug, it's a feature
The issue is that in Big Sur (and iOS 14) apple introduced support for DNS over HTTP (DoH) and DNS over TLS (DoT) and some applications (specially developed by Apple like Safari) use DoH or DoT to resolve domain names. This ignores the usual DNS resolving configuration and uses only the DNS servers defined somewhere internal. If you still want to use a custom domain resolver you should add a special profile with DNS resolver configuration for DoH or DoT.
If you still want to use your own DNS server to resolve hosts in your internal network just use a domain that could not be resolved outside your network. For example, I use "my.domain" as external and "l.my.domain" for internal hosts, and "l.my.domain" could be resolved only via the internal DNS server. In this case, everything works as expected.
It's not a bug, it's a feature
The issue is that in Big Sur (and iOS 14) apple introduced support for DNS over HTTP (DoH) and DNS over TLS (DoT) and some applications (specially developed by Apple like Safari) use DoH or DoT to resolve domain names. This ignores the usual DNS resolving configuration and uses only the DNS servers defined somewhere internal. If you still want to use a custom domain resolver you should add a special profile with DNS resolver configuration for DoH or DoT.
If you still want to use your own DNS server to resolve hosts in your internal network just use a domain that could not be resolved outside your network. For example, I use "my.domain" as external and "l.my.domain" for internal hosts, and "l.my.domain" could be resolved only via the internal DNS server. In this case, everything works as expected.
5 posts
Page 1 of 1