Split DNS and internal domain resolver

Got a problem with Viscosity or need help? Ask here!

nico

Posts: 1
Joined: Fri Nov 15, 2019 1:52 am

Post by nico » Fri Nov 15, 2019 2:00 am
Hi!
I'm struggling over the DNS resolution and Viscosity.

I've configured my Openvpn server as
Code: Select all
push "dhcp-option DNS 10.1.0.2"
push "dhcp-option DOMAIN internal.prd"
Where 10.1.0.2 is my internal DNS server that solves internal.prd. Viscosity is configured as Automatic mode for DNS and scutil --dns says
Code: Select all
% scutil --dns 
DNS configuration

resolver #1
  search domain[0] : internal.prd
  search domain[1] : fibertel.com.ar <-- my ISP
  nameserver[0] : 200.42.4.199 <-- my ISP's DNS server
  nameserver[1] : 200.49.130.40 <-- my ISP's DNS server
  if_index : 6 (en0)
  flags    : Request A records
  reach    : 0x00000002 (Reachable)

resolver #2
  domain   : local
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300000

resolver #3
  domain   : internal.prd
  nameserver[0] : 10.10.0.2 <-- my internal DNS server
  flags    : Supplemental, Request A records
  reach    : 0x00000002 (Reachable)
  order    : 101800
So the thing is that any host on internal.prd tries to resolve against my ISP DNS servers,
Code: Select all
% host api.k8s.internal.prd
Host api.k8s.internal.prd not found: 3(NXDOMAIN)
and dig uses the ISP DNS server as server. Running on "Full DNS" works as expected, but I'm trying to keep Split for now.


Viscosity log:
Code: Select all
2019-11-14 11:59:15: Viscosity Mac 1.8.1 (1511)
2019-11-14 11:59:15: Viscosity OpenVPN Engine Started
2019-11-14 11:59:15: Running on macOS 10.15.1
2019-11-14 11:59:15: ---------
2019-11-14 11:59:15: State changed to Connecting
2019-11-14 11:59:15: Checking reachability status of connection...
2019-11-14 11:59:15: Connection is reachable. Starting connection attempt.
2019-11-14 11:59:15: OpenVPN 2.4.7 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Sep 11 2019
2019-11-14 11:59:15: library versions: OpenSSL 1.0.2t  10 Sep 2019, LZO 2.10
2019-11-14 11:59:15: Resolving address: xxxxxxx
2019-11-14 11:59:15: Valid endpoint found: xxxxxxxx:1194:udp
2019-11-14 11:59:15: TCP/UDP: Preserving recently used remote address: [AF_INET]xxxxxxxx:1194
2019-11-14 11:59:15: UDP link local: (not bound)
2019-11-14 11:59:15: UDP link remote: [AF_INET]xxxxxxxx:1194
2019-11-14 11:59:15: State changed to Authenticating
2019-11-14 11:59:15: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2019-11-14 11:59:22: [vpnprod] Peer Connection Initiated with [AF_INET]xxxxxxxx:1194
2019-11-14 11:59:22: Opened utun device utun10
2019-11-14 11:59:22: /sbin/ifconfig utun10 delete
2019-11-14 11:59:22: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2019-11-14 11:59:22: /sbin/ifconfig utun10 10.8.0.54 10.8.0.53 mtu 1500 netmask 255.255.255.255 up
2019-11-14 11:59:22: Initialization Sequence Completed
2019-11-14 11:59:22: DNS mode set to Split
2019-11-14 11:59:22: State changed to Connected
Thanks!

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Sun Nov 17, 2019 10:11 am
Hi nico,

When testing Split DNS on macOS, please ensure you’re not using tools like nslookup, dig, and host, as these do not use macOS’s resolver system. Please see the following link for details:
https://www.sparklabs.com/support/kb/article/configuring-dns-and-wins-settings/#notes-for-linux-unix-users

With regards to the "scutil --dns" output, you need to scroll down to the "DNS configuration (for scoped queries)" section to see what domains are associated with what DNS servers.

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
2 posts Page 1 of 1