Rediscovered old workaround for IPSec DNS still works

mhill

Re: Problem with DNS when connecting to pfSense box using VPN IPSec

Mac OS X and iPhone users on IPSec - the simplest VPN to use since it's built in to Apple devices - have been unable to use the DNS pushed to them ever since the switch from racoon to strongswan. I just tried the workaround in this 5+ year old post, and it still works on 2.5.2-RELEASE.

Part of the problem in researching this issue is the distraction of an endless number of discussions on the internet at large regarding Apple not using DNS servers for VPN connections prior to default DNS servers of the Ethernet or WiFi connection.

The symptom is that the OS cannot resolve names using the VPN's DNS, neither bare server names nor FQDNs. Manually performing DNS queries using dig works; resolution by the OS does not (e.g. ping or web browsing).

The fix for me is essentially described in the last line of the referenced post. In VPN / IPsec / Mobile Clients set both the DNS Default Domain and the Split DNS to the domain you're trying to serve up from your DNS servers, but to work around an old strongswan bug, specify the Split DNS domain twice, separated by a space. The last (second) one doesn't count, because it is reportedly corrupted by extra characters appended to it. I didn't verify that the old bug is still the same; I quit messing with it when I observed name resolution working on OS X and iOS clients.

I hope that helps someone else.

rb625

Same story for me on pfSense+ 23.01. Tried everything until I came across this post, which amazingly works. My use case is to iOS 16.4.1.