Page 1 of 1

DNS via MacOS settings vs Viscosity DNS

Posted: Sun Dec 10, 2017 5:09 pm
by Ickertod
Hello,

I subscribe to a VPN service that has a server which allows access to .onion websites. The only thing needed, other than the address for the server, is the VPN provider's DNS server addresses. Everything works as it's supposed to when I set the DNS at the MacOS system level, but when I do it through Viscosity, the .onion sites don't work.

How I set it up in MacOS:
System Preferences -->
Network -->
Advanced button -->
DNS
Enter 1.2.3.4 and 1.3.5.7

How I set it up in Viscosity
Preferences -->
Select server -->
Click Edit -->
Networking -->
DNS Settings -->
Mode --> automatic (default)
Servers --> 1.2.3.4, 1.3.5.7

In order to get the .onion sites to work I have to set the DNS at the MacOS level and then setting the DNS mode to Disabled in Viscosity. If I try to instead set the DNS settings in Viscosity the .onion sites fail to load. Everything else works correctly, just not the .onion sites. When I run "scutil --dns" in terminal, both cases show the same, correct entries for the DNS server.

I'm not sure why the .onion sites would load if I set the DNS at the MacOS level and not work if I set the DNS within Viscosity. Shouldn't I be getting the same results by setting the DNS in Viscosity vs setting it at the MacOS system level?

Thanks!
Dan

Re: DNS via MacOS settings vs Viscosity DNS

Posted: Mon Dec 11, 2017 11:42 am
by James
Hi Dan,

Can you please post a full copy of your OpenVPN log and "scutil --dns" output while connected? This should help us diagnose what is going on. Please feel free to censor out any sensitive details before posting.
https://www.sparklabs.com/support/kb/ar ... envpn-log/

Cheers,
James

Re: DNS via MacOS settings vs Viscosity DNS

Posted: Tue Dec 12, 2017 3:36 pm
by Ickertod
I have 4 text files I've made.
1- The Viscosity Log output when DNS is set up in Viscosity
2- The scutil output when DNS is set up in Viscosity
3- The Viscosity Log output when DNS is set up in macOS and disabled in Viscosity
4- The scutil output when DNS is set up in macOS

Is there an email I can send these to, or should I just paste them all into one large reply?

Re: DNS via MacOS settings vs Viscosity DNS

Posted: Wed Dec 13, 2017 2:27 am
by Ickertod
This is the Viscosity log and scutil log when Viscosity is in charge of administrating the DNS. macOS is set with the default 8.8.8.8 and 8.8.4.4

Viscosity log:
2017-12-11 20:49:22: Viscosity Mac 1.7.5 (1420)
2017-12-11 20:49:22: Viscosity OpenVPN Engine Started
2017-12-11 20:49:22: Running on macOS 10.13.2
2017-12-11 20:49:22: ---------
2017-12-11 20:49:22: State changed to Connecting
2017-12-11 20:49:23: Checking reachability status of connection...
2017-12-11 20:49:23: Connection is reachable. Starting connection attempt.
2017-12-11 20:49:23: OpenVPN 2.4.4 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Sep 27 2017
2017-12-11 20:49:23: library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
2017-12-11 20:49:23: WARNING: --ping should normally be used with --ping-restart or --ping-exit
2017-12-11 20:49:23: NOTE: --fast-io is disabled since we are not using UDP
2017-12-11 20:49:23: TCP/UDP: Preserving recently used remote address: [AF_INET]12.34.56.78:443
2017-12-11 20:49:23: Attempting to establish TCP connection with [AF_INET]12.34.56.78:443 [nonblock]
2017-12-11 20:49:24: TCP connection established with [AF_INET]12.34.56.78:443
2017-12-11 20:49:24: TCP_CLIENT link local: (not bound)
2017-12-11 20:49:24: TCP_CLIENT link remote: [AF_INET]12.34.56.78:443
2017-12-11 20:49:24: State changed to Authenticating
2017-12-11 20:49:24: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2017-12-11 20:49:26: [maskedvpn.com] Peer Connection Initiated with [AF_INET]12.34.56.78:443
2017-12-11 20:49:28: Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
2017-12-11 20:49:28: Opened utun device utun1
2017-12-11 20:49:28: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
2017-12-11 20:49:28: /sbin/ifconfig utun1 delete
2017-12-11 20:49:28: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2017-12-11 20:49:28: /sbin/ifconfig utun1 11.22.33.44 11.22.33.44 netmask 255.255.255.0 mtu 1500 up
2017-12-11 20:49:28: Initialization Sequence Completed
2017-12-11 20:49:29: DNS mode set to Full
2017-12-11 20:49:29: State changed to Connected
2017-12-11 20:51:12: State changed to Disconnecting
2017-12-11 20:51:12: SIGTERM[hard,] received, process exiting
2017-12-11 20:51:13: State changed to Disconnected
2017-12-11 20:52:12: Viscosity Mac 1.7.5 (1420)
2017-12-11 20:52:12: Viscosity OpenVPN Engine Started
2017-12-11 20:52:12: Running on macOS 10.13.2
2017-12-11 20:52:12: ---------
2017-12-11 20:52:12: State changed to Connecting
2017-12-11 20:52:12: Checking reachability status of connection...
2017-12-11 20:52:12: Connection is reachable. Starting connection attempt.
2017-12-11 20:52:12: OpenVPN 2.4.4 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Sep 27 2017
2017-12-11 20:52:12: library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
2017-12-11 20:52:12: WARNING: --ping should normally be used with --ping-restart or --ping-exit
2017-12-11 20:52:12: NOTE: --fast-io is disabled since we are not using UDP
2017-12-11 20:52:12: TCP/UDP: Preserving recently used remote address: [AF_INET]12.34.56.78:443
2017-12-11 20:52:12: Attempting to establish TCP connection with [AF_INET]12.34.56.78:443 [nonblock]
2017-12-11 20:52:13: TCP connection established with [AF_INET]12.34.56.78:443
2017-12-11 20:52:13: TCP_CLIENT link local: (not bound)
2017-12-11 20:52:13: TCP_CLIENT link remote: [AF_INET]12.34.56.78:443
2017-12-11 20:52:14: State changed to Authenticating
2017-12-11 20:52:14: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2017-12-11 20:52:15: [maskedvpn.com] Peer Connection Initiated with [AF_INET]12.34.56.78:443
2017-12-11 20:52:16: Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
2017-12-11 20:52:16: Opened utun device utun1
2017-12-11 20:52:16: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
2017-12-11 20:52:16: /sbin/ifconfig utun1 delete
2017-12-11 20:52:16: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2017-12-11 20:52:16: /sbin/ifconfig utun1 11.22.33.44 11.22.33.44 netmask 255.255.255.0 mtu 1500 up
2017-12-11 20:52:16: Initialization Sequence Completed
2017-12-11 20:52:17: DNS mode set to Full
2017-12-11 20:52:17: State changed to Connected


scutil log
DNS configuration

resolver #1
search domain[0] : utun1.viscosity
nameserver[0] : 2.4.3.5.4
nameserver[1] : 1.3.2.4.3
flags : Request A records
reach : 0x00000002 (Reachable)

resolver #2
domain : local
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300000

resolver #3
domain : utun1.viscosity
nameserver[0] : 2.4.3.5.4
nameserver[1] : 1.3.2.4.3
flags : Supplemental, Request A records
reach : 0x00000002 (Reachable)
order : 100200

resolver #4
domain : 254.169.in-addr.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300200

resolver #5
domain : 8.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300400

resolver #6
domain : 9.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300600

resolver #7
domain : a.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300800

resolver #8
domain : b.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 301000

DNS configuration (for scoped queries)

resolver #1
search domain[0] : utun1.viscosity
nameserver[0] : 2.4.3.5.4
nameserver[1] : 1.3.2.4.3
if_index : 9 (utun1)
flags : Scoped, Request A records
reach : 0x00000002 (Reachable)

resolver #2
nameserver[0] : 8.8.8.8
nameserver[1] : 8.8.4.4
nameserver[2] : <removed for forum posting>
if_index : 5 (en0)
flags : Scoped, Request A records
reach : 0x00000002 (Reachable)

Re: DNS via MacOS settings vs Viscosity DNS

Posted: Wed Dec 13, 2017 2:29 am
by Ickertod
This is the Viscosity log and scutil log when macOS is in charge of administrating the DNS. The DNS option is disabled in Viscosity

Viscosity Log:
2017-12-11 21:17:42: Viscosity Mac 1.7.5 (1420)
2017-12-11 21:17:42: Viscosity OpenVPN Engine Started
2017-12-11 21:17:42: Running on macOS 10.13.2
2017-12-11 21:17:42: ---------
2017-12-11 21:17:42: State changed to Connecting
2017-12-11 21:17:43: Checking reachability status of connection...
2017-12-11 21:17:43: Connection is reachable. Starting connection attempt.
2017-12-11 21:17:43: OpenVPN 2.4.4 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Sep 27 2017
2017-12-11 21:17:43: library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
2017-12-11 21:17:43: WARNING: --ping should normally be used with --ping-restart or --ping-exit
2017-12-11 21:17:43: NOTE: --fast-io is disabled since we are not using UDP
2017-12-11 21:17:43: TCP/UDP: Preserving recently used remote address: [AF_INET]12.34.56.78:443
2017-12-11 21:17:43: Attempting to establish TCP connection with [AF_INET]12.34.56.78:443 [nonblock]
2017-12-11 21:17:44: TCP connection established with [AF_INET]12.34.56.78:443
2017-12-11 21:17:44: TCP_CLIENT link local: (not bound)
2017-12-11 21:17:44: TCP_CLIENT link remote: [AF_INET]12.34.56.78:443
2017-12-11 21:17:44: State changed to Authenticating
2017-12-11 21:17:44: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2017-12-11 21:17:45: [maskedvpn.com] Peer Connection Initiated with [AF_INET]12.34.56.78:443
2017-12-11 21:17:47: Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
2017-12-11 21:17:47: Opened utun device utun1
2017-12-11 21:17:47: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
2017-12-11 21:17:47: /sbin/ifconfig utun1 delete
2017-12-11 21:17:47: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2017-12-11 21:17:47: /sbin/ifconfig utun1 11.22.33.44 11.22.33.44 netmask 255.255.255.0 mtu 1500 up
2017-12-11 21:17:47: Initialization Sequence Completed
2017-12-11 21:17:47: DNS mode set to Off
2017-12-11 21:17:47: State changed to Connected


scutil log
DNS configuration

resolver #1
nameserver[0] : 2.4.3.5.4
nameserver[1] : 1.3.2.4.3
flags : Request A records
reach : 0x00000002 (Reachable)

resolver #2
domain : local
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300000

resolver #3
domain : 254.169.in-addr.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300200

resolver #4
domain : 8.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300400

resolver #5
domain : 9.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300600

resolver #6
domain : a.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300800

resolver #7
domain : b.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 301000

DNS configuration (for scoped queries)

resolver #1
nameserver[0] : 2.4.3.5.4
nameserver[1] : 1.3.2.4.3
if_index : 5 (en0)
flags : Scoped, Request A records
reach : 0x00000002 (Reachable)

Re: DNS via MacOS settings vs Viscosity DNS

Posted: Wed Dec 13, 2017 3:40 am
by Ickertod
Also to mention a few other tests I've done that all had the same problem:
- in Viscosity set the DNS and set the DNS Settings to "Full DNS" (fails to load .onion)
- in Viscosity set the DNS, set DNS Settings to "Full DNS", checked the checkbox to ignore the DNS Settings sent by the VPN Server (fails to load onion)
- Having the DNS set in both, the macOS and Viscosity level (fails to load .onion)

Re: DNS via MacOS settings vs Viscosity DNS

Posted: Thu Dec 14, 2017 5:50 pm
by James
Hi Ickertod,

Thanks for posting your logs.

How do you get on if you add "onion" to the "Domains" list under the Networking tab for your connection in Viscosity?

Here is my running theory as to what is happening, but please note it's only speculation at this stage (to confirm it will be necessary to fire up something like Wireshark and look at the actual DNS request): to allow for DNS network interface ordering Viscosity sets an interface domain. If none is specified it will use a generic one (e.g. utun0.viscosity). This should be ignored for actual lookups, however in this case macOS doesn't see "x.onion" as a real domain (as it's not a known TLD), and so it may be thinking it's a subdomain and trying to resolve it using the interface domain (i.e. x.onion.utun0.viscosity).

It sounds like it's not trying x.onion though, either initially or as a fallback, which makes me think the DNS server may be responding to "x.onion.utun0.viscosity" in some fashion. I imagine it's working when you manually set the DNS servers as there is no domain being set: if you set one you'll probably see the same behaviour. We can't have Viscosity not set a domain, as from past experience this will break DNS interface ordering for many setups. Adding "onion" as a search domain *might* offer a solution, otherwise it's probably best handled on the DNS server's end.

Cheers,
James

Re: DNS via MacOS settings vs Viscosity DNS

Posted: Fri Dec 15, 2017 11:34 am
by Ickertod
Hello James,

It looks like your theory was spot on - adding the "onion" to the Domains list fixed the problem!

Thank you so much for your help!

Dan