DNS priority / corrupted resolv.conf

Got a problem with Viscosity or need help? Ask here!

holgerhom

Posts: 1
Joined: Tue Jan 13, 2009 4:27 am

Post by holgerhom » Tue Jan 13, 2009 8:51 am
Hi,

first of all: Thank you, the authors of Viscosity, for that nice tool. I really like it's coloured icons in the upper right corner. :)

I'm evaluating Viscosity, having some trouble with the DNS settings. Viscosity 1.0.2 even destroys my resolv.conf (on Mac OS X 10.5.5).

My issues are:

  • resolv.conf get's corrupted during disconnect when two VPNs were connected
  • I think in my use case it would be better not to change resolv.conf on connect/disconnect. How is this possible? Or is there a better way?
  • How can I ensure that only lookups for the VPN-domain are done using the VPN-DNS?
[/b]

On startup, I am connected with my computer via WLAN to a local network with internet connection. The initial settings (without VPN) on my MacBook Pro are:
Code: Select all
bash-3.2# cat /etc/resolv.conf
domain ran-b.local
nameserver 192.168.101.254
Code: Select all
bash-3.2# scutil --dns
DNS configuration

resolver #1
  domain : ran-b.local
  nameserver[0] : 192.168.101.254
  order   : 200000

resolver #2
  domain : ran-b.local
  nameserver[0] : 192.168.101.254
  order   : 200000
So my LAN configuration is: DNS 192.168.101.254 for Domain ran-b.local and for all internet domains

Now, I want to connect to serveral VPNs in tun mode, while each VPN gives me access to a ceratain LAN.

Configuration "RAN-AB": DNS 192.168.112.254 for Domain ran-ab.local
Configuration "RAN-BLK": DNS 192.168.35.12 for Domain ran-blk.local
For all other domains, still the DNS 192.168.101.254 of my WLAN/LAN should be used.

For this application, I figured out that "Use alternate DNS support" is more what I want.

When I connect to "RAN-AB", the my configuration changes to that one:
Code: Select all
ash-3.2# cat /etc/resolv.conf 
domain ran-b.local
# nameserver 192.168.101.254

# begin tun0 OpenVPN tunnel modifications
nameserver 192.168.112.254
search ran-ab.local
# end tun0 OpenVPN tunnel modifications
Code: Select all
bash-3.2# scutil --dns
DNS configuration

resolver #1
  domain : ran-b.local
  search domain[0] : ran-ab.local
  search domain[1] : ran-b.local
  nameserver[0] : 192.168.101.254
  order   : 200000

resolver #2
  domain : ran-b.local
  nameserver[0] : 192.168.101.254
  order   : 200000

resolver #3
  domain : ran-ab.local
  nameserver[0] : 192.168.112.254
  order   : 101200
Now, I can resolv hostnames on my local network "ran-b.local", hostnames fron the VPN network "ran-ab.local" and finally internet domains:
Code: Select all
bash-3.2# ping routerb.ran-b.local
PING routerb.ran-b.local (192.168.101.254): 56 data bytes
64 bytes from 192.168.101.254: icmp_seq=0 ttl=64 time=1.613 ms
bash-3.2# ping routerab.ran-ab.local
PING routerab.ran-ab.local (192.168.112.254): 56 data bytes
64 bytes from 192.168.112.254: icmp_seq=0 ttl=64 time=85.392 ms
bash-3.2# ping www.google.de
PING www.l.google.com (74.125.39.147): 56 data bytes
64 bytes from 74.125.39.147: icmp_seq=0 ttl=247 time=55.385 ms
I use "ping" to test this, as e.g. "nslookup" seems to parse resolv.conf, not using the dictionary listed by scutil:
Code: Select all
bash-3.2# nslookup www.google.de
Server:		192.168.112.254
Address:	192.168.112.254#53

Non-authoritative answer:
www.google.de	canonical name = www.google.com.
www.google.com	canonical name = www.l.google.com.
Name:	www.l.google.com
Address: 74.125.39.103
Name:	www.l.google.com
Address: 74.125.39.104
Name:	www.l.google.com
Address: 74.125.39.99
Name:	www.l.google.com
Address: 74.125.39.147
This ist the first issue. This is not what I want. I'd like the internet domains still beeing resolved by the DNS of the LAN/WLAN (192.168.101.254), and not of that one in the VPN. I think the best way would be to leave resolv.conf unchanged when connecting/disconnecting to a VPN.

Unfortunatally, I do not know how to to find out which name server was used to resolv internet adresses (e.g. "www.google.de") using "ping". As I said before, nslookup seems to walk through resolv.conf, while "ping", Safari or Finder seems to use the dictionary listed by scutil.

Okay. Now I try to connect to two VPNs at the same time. But first I test the other VPN alone.
Disconnecting from "RAN-AB" restores the old DNS settings. Now connecting to RAN-BLK, I get the follwing settings:
Code: Select all
bash-3.2# cat /etc/resolv.conf 
domain ran-b.local
# nameserver 192.168.101.254
# begin tun0 OpenVPN tunnel modifications
nameserver 192.168.35.1
search ran-blk.local
# end tun0 OpenVPN tunnel modifications
Code: Select all
bash-3.2# scutil --dns
DNS configuration

resolver #1
  domain : ran-b.local
  search domain[0] : ran-blk.local
  search domain[1] : ran-b.local
  nameserver[0] : 192.168.101.254
  order   : 200000

resolver #2
  domain : ran-b.local
  nameserver[0] : 192.168.101.254
  order   : 200000

resolver #3
  domain : ran-blk.local
  nameserver[0] : 192.168.35.1
  order   : 101200
Also in this configuration, I can perfectly resolv hostnames from both LANs:
Code: Select all
bash-3.2# ping routerb.ran-b.local
PING routerb.ran-b.local (192.168.101.254): 56 data bytes
64 bytes from 192.168.101.254: icmp_seq=0 ttl=64 time=1.257 ms
bash-3.2# ping arcserv2.ran-blk.local
PING arcserv2.ran-blk.local (192.168.35.12): 56 data bytes
64 bytes from 192.168.35.12: icmp_seq=0 ttl=62 time=73.343 ms
bash-3.2# ping www.google.de
PING www.l.google.com (74.125.39.103): 56 data bytes
64 bytes from 74.125.39.103: icmp_seq=0 ttl=247 time=52.329 ms
Now, I connect to RAN-AB, without disconnecting RAN-BLK. At this time I would be connected to two VPNs at the same time:
Code: Select all
bash-3.2# cat /etc/resolv.conf 
domain ran-b.local
# nameserver 192.168.101.254
# begin tun0 OpenVPN tunnel modifications
# nameserver 192.168.35.1
# search ran-blk.local
# end tun0 OpenVPN tunnel modifications

# begin tun1 OpenVPN tunnel modifications
nameserver 192.168.112.254
search ran-ab.local ran-blk.local
# end tun1 OpenVPN tunnel modifications
Code: Select all
bash-3.2# scutil --dns
DNS configuration

resolver #1
  domain : ran-b.local
  search domain[0] : ran-blk.local
  search domain[1] : ran-ab.local
  search domain[2] : ran-b.local
  nameserver[0] : 192.168.101.254
  order   : 200000

resolver #2
  domain : ran-b.local
  nameserver[0] : 192.168.101.254
  order   : 200000

resolver #3
  domain : ran-blk.local
  nameserver[0] : 192.168.35.1
  order   : 101400

resolver #4
  domain : ran-ab.local
  nameserver[0] : 192.168.112.254
  order   : 101600
Now, I can resolv hosts of all nets: ran-b.local, ran-ab.local, ran-blk.local and internet hosts.
Code: Select all
bash-3.2# ping routerb.ran-b.local
PING routerb.ran-b.local (192.168.101.254): 56 data bytes
64 bytes from 192.168.101.254: icmp_seq=0 ttl=64 time=1.162 ms
bash-3.2# ping routerab.ran-ab.local
PING routerab.ran-ab.local (192.168.112.254): 56 data bytes
64 bytes from 192.168.112.254: icmp_seq=0 ttl=64 time=86.973 ms
bash-3.2# ping arcserv2.ran-blk.local
PING arcserv2.ran-blk.local (192.168.35.12): 56 data bytes
64 bytes from 192.168.35.12: icmp_seq=0 ttl=62 time=75.141 ms
bash-3.2# ping www.google.de
PING www.l.google.com (74.125.43.99): 56 data bytes
64 bytes from 74.125.43.99: icmp_seq=0 ttl=246 time=62.248 ms
But again, I do now know if internet names are resolved using 192.168.101.254. I Would like to ensure that.

When I now disconnect from RAN-AB, my resolv.conf get's corrupted:
Code: Select all
bash-3.2# cat /etc/resolv.conf 
domain ran-b.local
nameserver 192.168.101.254
begin tun0 OpenVPN tunnel modifications
nameserver 192.168.35.1
search ran-blk.local
end tun0 OpenVPN tunnel modifications
Code: Select all
bash-3.2# scutil --dns
DNS configuration

resolver #1
  domain : ran-b.local
  search domain[0] : ran-blk.local
  search domain[1] : ran-b.local
  nameserver[0] : 192.168.101.254
  order   : 200000

resolver #2
  domain : ran-b.local
  nameserver[0] : 192.168.101.254
  order   : 200000

resolver #3
  domain : ran-blk.local
  nameserver[0] : 192.168.35.1
  order   : 101200
I repaired it manually and then I disconnected from RAN-BLK.

So there are three issues:

  • resolv.conf get's corrupted during disconnect when two VPNs were connected
  • I think in my use case it would be better not to change resolv.conf on connect/disconnect. How is this possible? Or is there a better way?
  • How can I ensure that lookups for internet domains are not done via VPN?



Cheers,

Holger

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Fri Jan 16, 2009 12:40 am
Hi Holger,

Thanks for the detailed post.
I think in my use case it would be better not to change resolv.conf on connect/disconnect. How is this possible?
Doing so is generally fine - almost all applications no longer rely on resolv.conf for DNS resolution. Viscosity doesn't provide an explicit option to turn this off, however you're welcome to edit Viscosity's DNS scripts. The DNS scripts have been included in raw source form so they can be edited if need be, and can be found inside the Viscosity application (right click and select Show Package Contents) at: Viscosity.app/Contents/Resources/dns*.py

The resolve file modification code is the latter part of the up/down scripts, which can be removed, however it does require some understanding to edit. If you need to, feel free to send an email to [email protected] and we can send you a modified version.
How can I ensure that only lookups for the VPN-domain are done using the VPN-DNS?
Viscosity doesn't provide an explicit method to toggle between using VPN associated DNS servers for everything, or just for VPN-domain name lookups - yet. You're on the right track turning on the "Use alternate DNS support" option: supplemental domain matching is the approach to use. However at this stage the alternate DNS support still overrides the normal DNS server with the VPN DNS server.

Once again, you can achieve what you want by modifying the alt DNS scripts to add the DNS servers to the VPN tun/tap interface, rather than overriding the DNS servers on the default wired/wireless network interface. Once again, if you'd like us to do this for you, send an email to [email protected] and we'll see what we can come up with for you.

Viscosity 1.1 will have significantly more control over DNS settings, and will most certainly be able to achieve all that you require above. However in the meantime the only way to have advanced control over the DNS settings is to modify Viscosity's DNS support scripts.

Regards
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
2 posts Page 1 of 1