DNS priority / corrupted resolv.conf
Posted: Tue Jan 13, 2009 8:51 am
Hi,
first of all: Thank you, the authors of Viscosity, for that nice tool. I really like it's coloured icons in the upper right corner.
I'm evaluating Viscosity, having some trouble with the DNS settings. Viscosity 1.0.2 even destroys my resolv.conf (on Mac OS X 10.5.5).
My issues are:
On startup, I am connected with my computer via WLAN to a local network with internet connection. The initial settings (without VPN) on my MacBook Pro are:
Now, I want to connect to serveral VPNs in tun mode, while each VPN gives me access to a ceratain LAN.
Configuration "RAN-AB": DNS 192.168.112.254 for Domain ran-ab.local
Configuration "RAN-BLK": DNS 192.168.35.12 for Domain ran-blk.local
For all other domains, still the DNS 192.168.101.254 of my WLAN/LAN should be used.
For this application, I figured out that "Use alternate DNS support" is more what I want.
When I connect to "RAN-AB", the my configuration changes to that one:
Unfortunatally, I do not know how to to find out which name server was used to resolv internet adresses (e.g. "www.google.de") using "ping". As I said before, nslookup seems to walk through resolv.conf, while "ping", Safari or Finder seems to use the dictionary listed by scutil.
Okay. Now I try to connect to two VPNs at the same time. But first I test the other VPN alone.
Disconnecting from "RAN-AB" restores the old DNS settings. Now connecting to RAN-BLK, I get the follwing settings:
When I now disconnect from RAN-AB, my resolv.conf get's corrupted:
So there are three issues:
Cheers,
Holger
first of all: Thank you, the authors of Viscosity, for that nice tool. I really like it's coloured icons in the upper right corner.
I'm evaluating Viscosity, having some trouble with the DNS settings. Viscosity 1.0.2 even destroys my resolv.conf (on Mac OS X 10.5.5).
My issues are:
- resolv.conf get's corrupted during disconnect when two VPNs were connected
- I think in my use case it would be better not to change resolv.conf on connect/disconnect. How is this possible? Or is there a better way?
- How can I ensure that only lookups for the VPN-domain are done using the VPN-DNS?
On startup, I am connected with my computer via WLAN to a local network with internet connection. The initial settings (without VPN) on my MacBook Pro are:
Code: Select all
bash-3.2# cat /etc/resolv.conf
domain ran-b.local
nameserver 192.168.101.254
Code: Select all
So my LAN configuration is: DNS 192.168.101.254 for Domain ran-b.local and for all internet domainsbash-3.2# scutil --dns
DNS configuration
resolver #1
domain : ran-b.local
nameserver[0] : 192.168.101.254
order : 200000
resolver #2
domain : ran-b.local
nameserver[0] : 192.168.101.254
order : 200000
Now, I want to connect to serveral VPNs in tun mode, while each VPN gives me access to a ceratain LAN.
Configuration "RAN-AB": DNS 192.168.112.254 for Domain ran-ab.local
Configuration "RAN-BLK": DNS 192.168.35.12 for Domain ran-blk.local
For all other domains, still the DNS 192.168.101.254 of my WLAN/LAN should be used.
For this application, I figured out that "Use alternate DNS support" is more what I want.
When I connect to "RAN-AB", the my configuration changes to that one:
Code: Select all
ash-3.2# cat /etc/resolv.conf
domain ran-b.local
# nameserver 192.168.101.254
# begin tun0 OpenVPN tunnel modifications
nameserver 192.168.112.254
search ran-ab.local
# end tun0 OpenVPN tunnel modifications
Code: Select all
Now, I can resolv hostnames on my local network "ran-b.local", hostnames fron the VPN network "ran-ab.local" and finally internet domains:bash-3.2# scutil --dns
DNS configuration
resolver #1
domain : ran-b.local
search domain[0] : ran-ab.local
search domain[1] : ran-b.local
nameserver[0] : 192.168.101.254
order : 200000
resolver #2
domain : ran-b.local
nameserver[0] : 192.168.101.254
order : 200000
resolver #3
domain : ran-ab.local
nameserver[0] : 192.168.112.254
order : 101200
Code: Select all
I use "ping" to test this, as e.g. "nslookup" seems to parse resolv.conf, not using the dictionary listed by scutil:bash-3.2# ping routerb.ran-b.local
PING routerb.ran-b.local (192.168.101.254): 56 data bytes
64 bytes from 192.168.101.254: icmp_seq=0 ttl=64 time=1.613 ms
bash-3.2# ping routerab.ran-ab.local
PING routerab.ran-ab.local (192.168.112.254): 56 data bytes
64 bytes from 192.168.112.254: icmp_seq=0 ttl=64 time=85.392 ms
bash-3.2# ping www.google.de
PING www.l.google.com (74.125.39.147): 56 data bytes
64 bytes from 74.125.39.147: icmp_seq=0 ttl=247 time=55.385 ms
Code: Select all
This ist the first issue. This is not what I want. I'd like the internet domains still beeing resolved by the DNS of the LAN/WLAN (192.168.101.254), and not of that one in the VPN. I think the best way would be to leave resolv.conf unchanged when connecting/disconnecting to a VPN.bash-3.2# nslookup www.google.de
Server: 192.168.112.254
Address: 192.168.112.254#53
Non-authoritative answer:
www.google.de canonical name = www.google.com.
www.google.com canonical name = www.l.google.com.
Name: www.l.google.com
Address: 74.125.39.103
Name: www.l.google.com
Address: 74.125.39.104
Name: www.l.google.com
Address: 74.125.39.99
Name: www.l.google.com
Address: 74.125.39.147
Unfortunatally, I do not know how to to find out which name server was used to resolv internet adresses (e.g. "www.google.de") using "ping". As I said before, nslookup seems to walk through resolv.conf, while "ping", Safari or Finder seems to use the dictionary listed by scutil.
Okay. Now I try to connect to two VPNs at the same time. But first I test the other VPN alone.
Disconnecting from "RAN-AB" restores the old DNS settings. Now connecting to RAN-BLK, I get the follwing settings:
Code: Select all
bash-3.2# cat /etc/resolv.conf
domain ran-b.local
# nameserver 192.168.101.254
# begin tun0 OpenVPN tunnel modifications
nameserver 192.168.35.1
search ran-blk.local
# end tun0 OpenVPN tunnel modifications
Code: Select all
Also in this configuration, I can perfectly resolv hostnames from both LANs:bash-3.2# scutil --dns
DNS configuration
resolver #1
domain : ran-b.local
search domain[0] : ran-blk.local
search domain[1] : ran-b.local
nameserver[0] : 192.168.101.254
order : 200000
resolver #2
domain : ran-b.local
nameserver[0] : 192.168.101.254
order : 200000
resolver #3
domain : ran-blk.local
nameserver[0] : 192.168.35.1
order : 101200
Code: Select all
Now, I connect to RAN-AB, without disconnecting RAN-BLK. At this time I would be connected to two VPNs at the same time:bash-3.2# ping routerb.ran-b.local
PING routerb.ran-b.local (192.168.101.254): 56 data bytes
64 bytes from 192.168.101.254: icmp_seq=0 ttl=64 time=1.257 ms
bash-3.2# ping arcserv2.ran-blk.local
PING arcserv2.ran-blk.local (192.168.35.12): 56 data bytes
64 bytes from 192.168.35.12: icmp_seq=0 ttl=62 time=73.343 ms
bash-3.2# ping www.google.de
PING www.l.google.com (74.125.39.103): 56 data bytes
64 bytes from 74.125.39.103: icmp_seq=0 ttl=247 time=52.329 ms
Code: Select all
bash-3.2# cat /etc/resolv.conf
domain ran-b.local
# nameserver 192.168.101.254
# begin tun0 OpenVPN tunnel modifications
# nameserver 192.168.35.1
# search ran-blk.local
# end tun0 OpenVPN tunnel modifications
# begin tun1 OpenVPN tunnel modifications
nameserver 192.168.112.254
search ran-ab.local ran-blk.local
# end tun1 OpenVPN tunnel modifications
Code: Select all
Now, I can resolv hosts of all nets: ran-b.local, ran-ab.local, ran-blk.local and internet hosts.bash-3.2# scutil --dns
DNS configuration
resolver #1
domain : ran-b.local
search domain[0] : ran-blk.local
search domain[1] : ran-ab.local
search domain[2] : ran-b.local
nameserver[0] : 192.168.101.254
order : 200000
resolver #2
domain : ran-b.local
nameserver[0] : 192.168.101.254
order : 200000
resolver #3
domain : ran-blk.local
nameserver[0] : 192.168.35.1
order : 101400
resolver #4
domain : ran-ab.local
nameserver[0] : 192.168.112.254
order : 101600
Code: Select all
But again, I do now know if internet names are resolved using 192.168.101.254. I Would like to ensure that.bash-3.2# ping routerb.ran-b.local
PING routerb.ran-b.local (192.168.101.254): 56 data bytes
64 bytes from 192.168.101.254: icmp_seq=0 ttl=64 time=1.162 ms
bash-3.2# ping routerab.ran-ab.local
PING routerab.ran-ab.local (192.168.112.254): 56 data bytes
64 bytes from 192.168.112.254: icmp_seq=0 ttl=64 time=86.973 ms
bash-3.2# ping arcserv2.ran-blk.local
PING arcserv2.ran-blk.local (192.168.35.12): 56 data bytes
64 bytes from 192.168.35.12: icmp_seq=0 ttl=62 time=75.141 ms
bash-3.2# ping www.google.de
PING www.l.google.com (74.125.43.99): 56 data bytes
64 bytes from 74.125.43.99: icmp_seq=0 ttl=246 time=62.248 ms
When I now disconnect from RAN-AB, my resolv.conf get's corrupted:
Code: Select all
bash-3.2# cat /etc/resolv.conf
domain ran-b.local
nameserver 192.168.101.254
begin tun0 OpenVPN tunnel modifications
nameserver 192.168.35.1
search ran-blk.local
end tun0 OpenVPN tunnel modifications
Code: Select all
I repaired it manually and then I disconnected from RAN-BLK.bash-3.2# scutil --dns
DNS configuration
resolver #1
domain : ran-b.local
search domain[0] : ran-blk.local
search domain[1] : ran-b.local
nameserver[0] : 192.168.101.254
order : 200000
resolver #2
domain : ran-b.local
nameserver[0] : 192.168.101.254
order : 200000
resolver #3
domain : ran-blk.local
nameserver[0] : 192.168.35.1
order : 101200
So there are three issues:
- resolv.conf get's corrupted during disconnect when two VPNs were connected
- I think in my use case it would be better not to change resolv.conf on connect/disconnect. How is this possible? Or is there a better way?
- How can I ensure that lookups for internet domains are not done via VPN?
Cheers,
Holger