• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Split DNS on iOS not working

Scheduled Pinned Locked Moved IPsec
3 Posts 3 Posters 2.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P
    PhYrE
    last edited by PhYrE Jan 3, 2019, 5:33 PM Jan 3, 2019, 5:19 PM

    Trying to get IKEv2 and have most of it working perfectly. I have everything working really well on Windows 10 with the built-in VPN client (low metric, DNS suffix, restrictive encryption, proper subnet, proper domain resolution with the low DNS suffix). Similarly, the connection works really well on iPhone/iPad, except the issue below. I can ping the various IPs and access Web services on them. I can directly query the DNS servers. There is no issue with IP access over the VPN.

    If I change the Local Network to 0.0.0.0/0, all traffic routes through the VPN and DNS resolution works perfectly. My domain override (set in DNS Resolver) correctly gets the DNS information from the internal server and sends it to the client.

    If I have the Local Network as 172.16.10.0/24 [or tried 172.16.0.0/16 to see if using the full class improves things], DNS resolution does not work for the internal domain on iOS (both iPhone and iPad) but does work on Windows. I can't seem to get iOS to ever obey the internal domain name. I don't use .local as many of the support requests want (I use internaldomain.externaldomain.com as Microsoft recommends for an internal network).

    I want it to either:
    a) send all DNS traffic to the VPN when connected, or
    b) obey the split DNS and send DNS queries for the domains in question to the VPN DNS server.
    It seems iOS is disobeying the split DNS domain. The logs seem to correctly reflect split DNS, and the use on windows seems to support that.

    Tried every permutation of
    * Provide a list of accessible networks to clients
    * Provide a default domain name to clients
    * Provide a list of split DNS domain names to clients
    Tried "opening" a DNS server in the public IP space as my DNS server (instead of one on the VPN internal network in case it wanted it to be publicly accessible)

    Shy of switching over to OpenVPN (which seems to not suffer from this problem when I configure it the same way), does anyone have a solution? I like the integration of IKEv2 in various operating systems (iOS/Windows10) versus using an external client, but not being able to do proper name resolution unless I send all phone traffic to the VPN is frustrating.

    1 Reply Last reply Reply Quote 0
    • D
      Derelict LAYER 8 Netgate
      last edited by Jan 3, 2019, 8:18 PM

      I do not know the specific answer but it would not surprise me if the solution was found by configuring the device with a properly-configured profile instead of manually.

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • L
        lst_hoe
        last edited by Jan 8, 2019, 4:56 PM

        Have a look here:
        https://forum.netgate.com/topic/95361/solved-cross-platform-ikev2-vpn-no-dns-on-linux-mac-ios/7

        Note that the basic problem of Split DNS with Split Tunnel in IKEv2 is work-in-progress regarding RFC standards.
        https://tools.ietf.org/html/draft-ietf-ipsecme-split-dns-16

        1 Reply Last reply Reply Quote 0
        3 out of 3
        • First post
          3/3
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
          This community forum collects and processes your personal information.
          consent.not_received