Split DNS on iOS not working



  • Trying to get IKEv2 and have most of it working perfectly. I have everything working really well on Windows 10 with the built-in VPN client (low metric, DNS suffix, restrictive encryption, proper subnet, proper domain resolution with the low DNS suffix). Similarly, the connection works really well on iPhone/iPad, except the issue below. I can ping the various IPs and access Web services on them. I can directly query the DNS servers. There is no issue with IP access over the VPN.

    If I change the Local Network to 0.0.0.0/0, all traffic routes through the VPN and DNS resolution works perfectly. My domain override (set in DNS Resolver) correctly gets the DNS information from the internal server and sends it to the client.

    If I have the Local Network as 172.16.10.0/24 [or tried 172.16.0.0/16 to see if using the full class improves things], DNS resolution does not work for the internal domain on iOS (both iPhone and iPad) but does work on Windows. I can't seem to get iOS to ever obey the internal domain name. I don't use .local as many of the support requests want (I use internaldomain.externaldomain.com as Microsoft recommends for an internal network).

    I want it to either:
    a) send all DNS traffic to the VPN when connected, or
    b) obey the split DNS and send DNS queries for the domains in question to the VPN DNS server.
    It seems iOS is disobeying the split DNS domain. The logs seem to correctly reflect split DNS, and the use on windows seems to support that.

    Tried every permutation of
    * Provide a list of accessible networks to clients
    * Provide a default domain name to clients
    * Provide a list of split DNS domain names to clients
    Tried "opening" a DNS server in the public IP space as my DNS server (instead of one on the VPN internal network in case it wanted it to be publicly accessible)

    Shy of switching over to OpenVPN (which seems to not suffer from this problem when I configure it the same way), does anyone have a solution? I like the integration of IKEv2 in various operating systems (iOS/Windows10) versus using an external client, but not being able to do proper name resolution unless I send all phone traffic to the VPN is frustrating.


  • LAYER 8 Netgate

    I do not know the specific answer but it would not surprise me if the solution was found by configuring the device with a properly-configured profile instead of manually.



  • Have a look here:
    https://forum.netgate.com/topic/95361/solved-cross-platform-ikev2-vpn-no-dns-on-linux-mac-ios/7

    Note that the basic problem of Split DNS with Split Tunnel in IKEv2 is work-in-progress regarding RFC standards.
    https://tools.ietf.org/html/draft-ietf-ipsecme-split-dns-16