DNS not working over VPN

whoeveriam · Mar 1, 2020, 8:08 PM

@nkaminski
I am using IPsec. I understand that my remote client (a MacBook Pro) is not using the correct DNS servers for queries. I can query the pfSense box explicitly and get the correct answer with dig:

>dig @10.0.11.1 myserver.mynetwork.org 
;; ANSWER SECTION:
myserver.mynetwork.org.	3600	IN	A	10.0.11.3

And when I query the laptops DNS settings with scuitl --dns I get:

DNS configuration (for scoped queries)
resolver #1
nameserver[0] : 68.105.28.11
nameserver[1] : 68.105.29.11
nameserver[2] : 68.105.28.12
if_index : 6 (en0)
flags : Scoped, Request A records
reach : 0x00000002 (Reachable)

resolver #2
search domain[0] : mynetwork.org
nameserver[0] : 10.0.11.1
nameserver[1] : 68.105.28.14
nameserver[2] : 68.105.28.13
if_index : 21 (ipsec0)
flags : Scoped, Request A records
reach : 0x00000002 (Reachable)

So the nameservers and default domain provided by the VPN server to the Mac are correct, but the Mac isn't using them to correctly direct queries for that domain to the correct name server.

I am baffled. Any ideas?

Cheers, Ben

ciphergeek · May 1, 2020, 6:29 PM

@whoeveriam

I'm seeing the same thing on my Mac. I've got an IPSEC vpn that is providing a DNS server list but the DNS server is being added as secondary to the hosts configured DNS server. Any updates?

whoeveriam · May 1, 2020, 6:44 PM

@ciphergeek Unfortunately I've had no further luck. I wonder if this isn't a Mac OS bug in the way it handles DNS lookups for VPN connections. I haven't had time to run this down any further. If you find something please post here as well.

Cheers!

andrelung · Feb 4, 2021, 10:58 AM

Same thing is happening to me. Any clues or workarounds how to deal with that? Currently I am handing out IPs...

ciphergeek · Feb 4, 2021, 3:41 PM

I had to roll out this script to users. I haven't tested against Big Sur yet though to see if this is fixed. I guess we should submit to apple at some point.

tell application "Terminal"
try
do shell script "mkdir /etc/resolver" with administrator privileges
do shell script "touch /etc/resolver/secure" with administrator privileges
do shell script "echo nameserver 10.10.10.15 >> /etc/resolver/secure" with administrator privileges
say "Should be working now!!"
on error
say "uh oh, we have a problem"
end try
end tell

andrelung · Feb 4, 2021, 3:41 PM

@ciphergeek Thanks for your answer! I manually added the file and in fact it instantly starts showing up:

$ scutil --dns

[...]
resolver #8
  domain   : secure
  nameserver[0] : 192.168.88.1
  flags    : Request A records, Request AAAA records
  reach    : 0x00000003 (Reachable,Transient Connection)

However, the name is still not resolvable without specifically requesting the nameserver:
login-to-view

Let me know if you see anything odd here. Otherwise I'll keep trying to figure this out...

ciphergeek · Feb 4, 2021, 3:52 PM

Hi. In my case, .secure is an internal domain name I created. Are you trying to get general DNS working or an internal DNS zone?

andrelung · Feb 4, 2021, 4:04 PM

Right, just the internal name resolution is problematic! I mv'ed the "secure"-file to our own internal domain name. Same results.

General DNS is provided by the "host"-connection, which is fine I guess?

$ nslookup google.com
Server:		172.20.10.1
Address:	172.20.10.1#53

Non-authoritative answer:
Name:	google.com
Address: 216.58.206.14

$ nslookup google.com 192.168.88.1
Server:		192.168.88.1
Address:	192.168.88.1#53

Non-authoritative answer:
Name:	google.com
Address: 142.250.185.142

ciphergeek · Feb 4, 2021, 4:15 PM

What's running "scuitl --dns" show

andrelung · Feb 4, 2021, 4:18 PM

$ scutil --dns
DNS configuration

resolver #1
  nameserver[0] : fe80::c82:13eb:d00f:5f5d%en0
  nameserver[1] : 172.20.10.1
  if_index : 6 (en0)
  flags    : Request A records, Request AAAA records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

resolver #2
  domain   : local
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300000

resolver #3
  domain   : 254.169.in-addr.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300200

resolver #4
  domain   : 8.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300400

resolver #5
  domain   : 9.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300600

resolver #6
  domain   : a.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300800

resolver #7
  domain   : b.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 301000

resolver #8
  domain   : mydomain
  nameserver[0] : 192.168.88.1
  flags    : Request A records, Request AAAA records
  reach    : 0x00000002 (Reachable)

DNS configuration (for scoped queries)

resolver #1
  nameserver[0] : fe80::c82:13eb:d00f:5f5d%en0
  nameserver[1] : 172.20.10.1
  if_index : 6 (en0)
  flags    : Scoped, Request A records, Request AAAA records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

ciphergeek · Feb 4, 2021, 5:27 PM

Sorry man. That's weird. No idea why that isn't working that looks right if your internal dns is 172.20.10.1

andrelung · Feb 5, 2021, 9:47 AM

Actually I am testing the VPN through an iPhone hotspot and that's the DNS/Gateway of the iPhone connection.