Page 1 of 1

DNS resolution lost

Posted: Fri Sep 21, 2018 12:41 am
by humantypo
I am seeing an unusual error daily at 6:59am. My connection is lost and Viscosity can no longer resolve the hostname of my VPN server. The connection is not disconnected per se, but in a perpetual “reconnection” state. The solution has been to quit Viscosity and reconnect. The connection is then good until the next day.

This *seems* to have begun when we moved to the openVPN “failover” setup on the server side, but I cannot say for sure.

Has anyone seen something like this before?

thanks

Code: Select all
2018-09-20 06:59:28: AUTH: Received control message: AUTH_FAILED,SESSION: Your session has expired, please reauthenticate
2018-09-20 06:59:28: SIGHUP[soft,auth-failure (auth-token)] received, process restarting
2018-09-20 06:59:28: Viscosity Mac 1.7.11 (1463)
2018-09-20 06:59:28: Viscosity OpenVPN Engine Started
2018-09-20 06:59:28: Running on macOS 10.13.6
2018-09-20 06:59:28: ---------
2018-09-20 06:59:28: State changed to Connecting
2018-09-20 06:59:28: OpenVPN 2.4.6 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Jul 20 2018
2018-09-20 06:59:28: library versions: OpenSSL 1.0.2o  27 Mar 2018, LZO 2.10
2018-09-20 06:59:33: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
2018-09-20 07:00:03: RESOLVE: Cannot resolve host address: vpn.xxxredactedxxxx.com:1194 (nodename nor servname provided, or not known)
2018-09-20 07:00:33: RESOLVE: Cannot resolve host address: vpn.xxxredactedxxxx.com:1194 (nodename nor servname provided, or not known)
2018-09-20 07:00:33: Could not determine IPv4/IPv6 protocol
2018-09-20 07:00:33: SIGUSR1[soft,init_instance] received, process restarting
2018-09-20 07:00:33: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
2018-09-20 07:01:03: RESOLVE: Cannot resolve host address: vpn.xxxredactedxxxx.com:1194 (nodename nor servname provided, or not known)
2018-09-20 07:01:33: RESOLVE: Cannot resolve host address: vpn.xxxredactedxxxx.com:1194 (nodename nor servname provided, or not known)
2018-09-20 07:01:33: Could not determine IPv4/IPv6 protocol
2018-09-20 07:01:33: SIGUSR1[soft,init_instance] received, process restarting
2018-09-20 07:01:33: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
2018-09-20 07:02:03: RESOLVE: Cannot resolve host address: vpn.xxxredactedxxxx.com:1194 (nodename nor servname provided, or not known)
2018-09-20 07:02:33: RESOLVE: Cannot resolve host address: vpn.xxxredactedxxxx.com:1194 (nodename nor servname provided, or not known)
2018-09-20 07:02:33: Could not determine IPv4/IPv6 protocol
2018-09-20 07:02:33: SIGUSR1[soft,init_instance] received, process restarting
2018-09-20 07:02:33: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
2018-09-20 07:03:03: RESOLVE: Cannot resolve host address: vpn.xxxredactedxxxx.com:1194 (nodename nor servname provided, or not known)
2018-09-20 07:03:33: RESOLVE: Cannot resolve host address: vpn.xxxredactedxxxx.com:1194 (nodename nor servname provided, or not known)
2018-09-20 07:03:33: Could not determine IPv4/IPv6 protocol
2018-09-20 07:03:33: SIGUSR1[soft,init_instance] received, process restarting
2018-09-20 07:03:33: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
2018-09-20 07:04:03: RESOLVE: Cannot resolve host address: vpn.xxxredactedxxxx.com:1194 (nodename nor servname provided, or not known)
2018-09-20 07:04:33: RESOLVE: Cannot resolve host address: vpn.xxxredactedxxxx.com:1194 (nodename nor servname provided, or not known)
2018-09-20 07:04:33: Could not determine IPv4/IPv6 protocol
2018-09-20 07:04:33: SIGUSR1[soft,init_instance] received, process restarting
2018-09-20 07:04:33: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
2018-09-20 07:05:03: RESOLVE: Cannot resolve host address: vpn.xxxredactedxxxx.com:1194 (nodename nor servname provided, or not known)
2018-09-20 07:05:33: RESOLVE: Cannot resolve host address: vpn.xxxredactedxxxx.com:1194 (nodename nor servname provided, or not known)
2018-09-20 07:05:33: Could not determine IPv4/IPv6 protocol
2018-09-20 07:05:33: SIGUSR1[soft,init_instance] received, process restarting
2018-09-20 07:05:33: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
2018-09-20 07:06:03: RESOLVE: Cannot resolve host address: vpn.xxxredactedxxxx.com:1194 (nodename nor servname provided, or not known)
2018-09-20 07:06:33: RESOLVE: Cannot resolve host address: vpn.xxxredactedxxxx.com:1194 (nodename nor servname provided, or not known)
2018-09-20 07:06:33: Could not determine IPv4/IPv6 protocol
2018-09-20 07:06:33: SIGUSR1[soft,init_instance] received, process restarting
2018-09-20 07:06:33: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
2018-09-20 07:07:03: RESOLVE: Cannot resolve host address: vpn.xxxredactedxxxx.com:1194 (nodename nor servname provided, or not known)
2018-09-20 07:07:33: RESOLVE: Cannot resolve host address: vpn.xxxredactedxxxx.com:1194 (nodename nor servname provided, or not known)
2018-09-20 07:07:33: Could not determine IPv4/IPv6 protocol
2018-09-20 07:07:33: SIGUSR1[soft,init_instance] received, process restarting
2018-09-20 07:07:33: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
2018-09-20 07:08:03: RESOLVE: Cannot resolve host address: vpn.xxxredactedxxxx.com:1194 (nodename nor servname provided, or not known)
2018-09-20 07:08:33: RESOLVE: Cannot resolve host address: vpn.xxxredactedxxxx.com:1194 (nodename nor servname provided, or not known)
2018-09-20 07:08:33: Could not determine IPv4/IPv6 protocol
2018-09-20 07:08:33: SIGUSR1[soft,init_instance] received, process restarting
2018-09-20 07:08:33: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
2018-09-20 07:09:03: RESOLVE: Cannot resolve host address: vpn.xxxredactedxxxx.com:1194 (nodename nor servname provided, or not known)
2018-09-20 07:09:33: RESOLVE: Cannot resolve host address: vpn.xxxredactedxxxx.com:1194 (nodename nor servname provided, or not known)
2018-09-20 07:09:33: Could not determine IPv4/IPv6 protocol
2018-09-20 07:09:33: SIGUSR1[soft,init_instance] received, process restarting
2018-09-20 07:09:33: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
2018-09-20 07:10:03: RESOLVE: Cannot resolve host address: vpn.xxxredactedxxxx.com:1194 (nodename nor servname provided, or not known)
2018-09-20 07:10:33: RESOLVE: Cannot resolve host address: vpn.xxxredactedxxxx.com:1194 (nodename nor servname provided, or not known)
2018-09-20 07:10:33: Could not determine IPv4/IPv6 protocol
2018-09-20 07:10:33: SIGUSR1[soft,init_instance] received, process restarting
2018-09-20 07:10:33: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
2018-09-20 07:11:03: RESOLVE: Cannot resolve host address: vpn.xxxredactedxxxx.com:1194 (nodename nor servname provided, or not known)
2018-09-20 07:11:33: RESOLVE: Cannot resolve host address: vpn.xxxredactedxxxx.com:1194 (nodename nor servname provided, or not known)
2018-09-20 07:11:33: Could not determine IPv4/IPv6 protocol
2018-09-20 07:11:33: SIGUSR1[soft,init_instance] received, process restarting
2018-09-20 07:11:33: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
2018-09-20 07:12:03: RESOLVE: Cannot resolve host address: vpn.xxxredactedxxxx.com:1194 (nodename nor servname provided, or not known)
2018-09-20 07:12:33: RESOLVE: Cannot resolve host address: vpn.xxxredactedxxxx.com:1194 (nodename nor servname provided, or not known)
2018-09-20 07:12:33: Could not determine IPv4/IPv6 protocol
2018-09-20 07:12:33: SIGUSR1[soft,init_instance] received, process restarting
2018-09-20 07:12:33: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
2018-09-20 07:13:03: RESOLVE: Cannot resolve host address: vpn.xxxredactedxxxx.com:1194 (nodename nor servname provided, or not known)
2018-09-20 07:13:33: RESOLVE: Cannot resolve host address: vpn.xxxredactedxxxx.com:1194 (nodename nor servname provided, or not known)
2018-09-20 07:13:33: Could not determine IPv4/IPv6 protocol
2018-09-20 07:13:33: SIGUSR1[soft,init_instance] received, process restarting
2018-09-20 07:13:33: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
2018-09-20 07:14:03: RESOLVE: Cannot resolve host address: vpn.xxxredactedxxxx.com:1194 (nodename nor servname provided, or not known)
2018-09-20 07:14:33: RESOLVE: Cannot resolve host address: vpn.xxxredactedxxxx.com:1194 (nodename nor servname provided, or not known)
2018-09-20 07:14:33: Could not determine IPv4/IPv6 protocol
2018-09-20 07:14:33: SIGUSR1[soft,init_instance] received, process restarting
2018-09-20 07:14:33: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.2018-09-20 07:17:06: Viscosity Mac 1.7.11 (1463)
2018-09-20 07:17:06: Viscosity OpenVPN Engine Started
2018-09-20 07:17:06: Running on macOS 10.13.6
2018-09-20 07:17:06: ---------
2018-09-20 07:17:06: State changed to Connecting
2018-09-20 07:17:06: Checking reachability status of connection...
2018-09-20 07:17:06: Connection is reachable. Starting connection attempt.
2018-09-20 07:17:06: OpenVPN 2.4.6 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Jul 20 2018
2018-09-20 07:17:06: library versions: OpenSSL 1.0.2o  27 Mar 2018, LZO 2.10
2018-09-20 07:17:07: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
2018-09-20 07:17:07: TCP/UDP: Preserving recently used remote address: [AF_INET]000.27.155.46:1194
2018-09-20 07:17:07: Attempting to establish TCP connection with [AF_INET]000.27.155.46:1194 [nonblock]
2018-09-20 07:17:09: TCP connection established with [AF_INET]000.27.155.46:1194
2018-09-20 07:17:09: TCP_CLIENT link local: (not bound)
2018-09-20 07:17:09: TCP_CLIENT link remote: [AF_INET]000.27.155.46:1194
2018-09-20 07:17:09: State changed to Authenticating
2018-09-20 07:17:09: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2018-09-20 07:17:09: [OpenVPN Server] Peer Connection Initiated with [AF_INET]000.27.155.46:1194
2018-09-20 07:17:10: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: dhcp-pre-release (2.4.6)
2018-09-20 07:17:10: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:5: dhcp-renew (2.4.6)
2018-09-20 07:17:10: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:6: dhcp-release (2.4.6)
2018-09-20 07:17:10: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:27: register-dns (2.4.6)
2018-09-20 07:17:10: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:28: block-ipv6 (2.4.6)
2018-09-20 07:17:10: Opened utun device utun10
2018-09-20 07:17:10: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
2018-09-20 07:17:10: /sbin/ifconfig utun10 delete
2018-09-20 07:17:10: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2018-09-20 07:17:10: /sbin/ifconfig utun10 10.8.1.41 10.8.1.41 netmask 255.255.255.0 mtu 1500 up
2018-09-20 07:17:15: Initialization Sequence Completed
2018-09-20 07:17:15: DNS mode set to Split
2018-09-20 07:17:16: State changed to Connected

Re: DNS resolution lost

Posted: Fri Sep 21, 2018 1:36 pm
by James
Hi humantypo,

Try making use of the "resolv-retry" advanced command, so if the address doesn't resolve for longer than a certain time, then it'll fail (e.g. "resolv-retry 5"). OpenVPN will then either switch to the next server (if you have multiple), or the connection will disconnect (and Viscosity will reconnect it if the Automatically reconnect option is ticked).
https://www.sparklabs.com/support/kb/ar ... solv-retry

Cheers,
James

Re: DNS resolution lost

Posted: Sat Sep 22, 2018 12:45 am
by humantypo
Giving it a shot, thanks!

Re: DNS resolution lost

Posted: Wed Oct 10, 2018 1:56 am
by humantypo
My VPN issue continues. It seems to be because OSX loses it’s DNS cache that is restored once Viscosity is restarted...

Again, here is the Error message in Viscosity:
2018-10-07 17:36:32: RESOLVE: Cannot resolve host address: vpn.[mydomain].com:1194 (nodename nor servname provided, or not known)
[repeats]
Quick resolution check:
$ nslookup vpn.[mydomain].com
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
Name: vpn.[mydomain].com
Address: 1.2.3.4
Make sure nothing in hosts:
$ cat /etc/hosts
##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
##
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost
fe80::1%lo0 localhost
DNS at head end is OK, checking mDNSResponder locally:
$ nc -z vpn.[mydomain].com 943
nc: getaddrinfo: nodename nor servname provided, or not known
Try flushing cache
$ sudo dscacheutil -flushcache

$ nc -z vpn.[mydomain].com 943
nc: getaddrinfo: nodename nor servname provided, or not known

An interesting artifact found looking at other sites in DNS search domain:
$ nc -z www.[mydomain].com 80
nc: getaddrinfo: nodename nor servname provided, or not known
…that doesn’t affect anything outside of my search domain:
$ nc -z google.com 80
Connection to google.com port 80 [tcp/http] succeeded!
For reference:
cat /etc/resolv.conf
#
# macOS Notice
#
# This file is not consulted for DNS hostname resolution, address
# resolution, or the DNS query routing mechanism used by most
# processes on this system.
#
# To view the DNS configuration used by this system, use:
# scutil --dns
#
# SEE ALSO
# dns-sd(1), scutil(8)
#
# This file is automatically generated.
#
search [mydomain]
nameserver 8.8.8.8
nameserver 8.8.4.4
I then quit Viscosity and retry:
$ nc -z vpn.[mydomain].com 943
nc: getaddrinfo: nodename nor servname provided, or not known
Finally, I restart Viscosity:
$ nc -z vpn.[mydomain].com 943
Connection to vpn.[mydomain].com port 943 [tcp/*] succeeded!
I am able to reconnect and I am seeing some register-dns:
2018-10-09 07:44:10: Viscosity Mac 1.7.11 (1463)
2018-10-09 07:44:10: Viscosity OpenVPN Engine Started
2018-10-09 07:44:10: Running on macOS 10.13.6
2018-10-09 07:44:10: ---------
2018-10-09 07:44:10: State changed to Connecting
2018-10-09 07:44:10: Checking reachability status of connection...
2018-10-09 07:44:11: Connection is reachable. Starting connection attempt.
2018-10-09 07:44:11: OpenVPN 2.4.6 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Jul 20 2018
2018-10-09 07:44:11: library versions: OpenSSL 1.0.2o 27 Mar 2018, LZO 2.10
2018-10-09 07:44:12: WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
2018-10-09 07:44:12: TCP/UDP: Preserving recently used remote address: [AF_INET]1.2.3.4:1194
2018-10-09 07:44:12: Attempting to establish TCP connection with [AF_INET]1.2.3.4:1194 [nonblock]
2018-10-09 07:44:13: TCP connection established with [AF_INET]1.2.3.4:1194
2018-10-09 07:44:13: TCP_CLIENT link local: (not bound)
2018-10-09 07:44:13: TCP_CLIENT link remote: [AF_INET]1.2.3.4:1194
2018-10-09 07:44:13: State changed to Authenticating
2018-10-09 07:44:13: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2018-10-09 07:44:13: [OpenVPN Server] Peer Connection Initiated with [AF_INET]1.2.3.4:1194
2018-10-09 07:44:19: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: dhcp-pre-release (2.4.6)
2018-10-09 07:44:19: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:5: dhcp-renew (2.4.6)
2018-10-09 07:44:19: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:6: dhcp-release (2.4.6)
2018-10-09 07:44:19: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:27: register-dns (2.4.6)
2018-10-09 07:44:19: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:28: block-ipv6 (2.4.6)
2018-10-09 07:44:19: Opened utun device utun10
2018-10-09 07:44:19: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
2018-10-09 07:44:19: /sbin/ifconfig utun10 delete
2018-10-09 07:44:19: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2018-10-09 07:44:19: /sbin/ifconfig utun10 10.8.1.15 10.8.1.15 netmask 255.255.255.0 mtu 1500 up
2018-10-09 07:44:25: Initialization Sequence Completed
2018-10-09 07:44:25: DNS mode set to Split
2018-10-09 07:44:25: State changed to Connected
Here are the Extra OpenVPN options from Preferences:
resolv-retry 5
rcvbuf 100000
sndbuf 100000
key-direction 1
setenv FORWARD_COMPATIBLE 1
setenv PUSH_PEER_INFO
reneg-sec 604800
comp-lzo no
ns-cert-type server
Any idea what’s going on?

thanks

Re: DNS resolution lost

Posted: Thu Oct 11, 2018 12:42 am
by James
Hi humantypo,

Try adding "remap-usr1 SIGTERM" (without the quotes) to the connection as an advanced command. This should force a full disconnect (and reconnect if you have the reconnect option ticked in Viscosity).

Basically what is happening is this:

1. Your connection is using Full DNS mode, which means all DNS requests go to the DNS server/s set by the VPN connection. The DNS server's are only accessible via the VPN connection (i.e. they're not publicly accessible DNS servers).
2. Your VPN connection drops out, and OpenVPN attempts a "light" reconnect. That is, it keeps the VPN network interface etc. active and available (due to the persist options for the connection). This means the VPN DNS server/s are still also set during the reconnect attempt.
3. As the DNS server/s can't be reached (as the VPN connection itself is down), the VPN server address can't be resolved. A catch-22.

Forcing the VPN connection to fully disconnect when your connection drops (instead of performing a light reconnect) will ensure that your normal DNS server/s are used and allow Viscosity to take control of the reconnection. The command at the top of the post should force this.

Finally, please note that macOS doesn't use resolv.conf, and tools that use it don't give an accurate indication of what your computer is doing DNS wise. Please see:
https://www.sparklabs.com/support/kb/ar ... unix-users

Cheers,
James

Re: DNS resolution lost

Posted: Thu Oct 11, 2018 2:20 am
by humantypo
Thanks, I will give that a try.

I included the /etc files for completeness. I used nc, which relies upon mDNSResponder, for name resolution to show that apps were not able to resolve the domain. nslookup was used to show the head end was responding properly.

I appreciate the help.