Configuring DNS and WINS settings
Viscosity allows you to easily specify DNS and WINS servers, along with corresponding DNS domains, to use while connected to your VPN connection. Once you are connected these settings will automatically override your normal DNS settings. Once you disconnect your normal settings will be automatically restored.
What are DNS and WINS?
The Domain Name System (DNS) allows your computer to automatically convert human-readable domains to computer-readable IP addresses. For example, when you type www.sparklabs.com into your web browser your computer will automatically ask your DNS server to convert this to an IP address it can use. Your DNS server should return the IP address of our server, and then your computer will contact the server using the IP address. Without a DNS server, or if the DNS server can't be reached, your may be unable to browse the web or access other computers.
The Windows Internet Name Service (WINS) is similar to DNS, however it is typically used to allow you to connect to Windows based computers, servers, and some printers using the computer's name (instead of having to use it's IP address). If you can't access Windows computers on the remote VPN network by name, but you can by IP address, then you'll probably need to specify a WINS server.
DNS Modes
Viscosity has a powerful DNS system that lets you tailor your DNS configuration to your desired setup. Depending on the DNS Mode selected, you can configure Viscosity to send all DNS requests to your VPN DNS server/s, or only for certain domains. More information on the available DNS Modes are below:
Automatic (Default): Viscosity will automatically decide which DNS mode to use. If all traffic is being routed through the VPN connection then Full DNS mode will be used. If only some traffic will be routed over the VPN connection then Split DNS mode will be used. If no VPN DNS servers are set, DNS support for the connection will be disabled. This option is recommended for most setups and it is the default for new VPN connections.
Full DNS: Viscosity will setup your computer so your VPN DNS servers is used by default for all DNS requests. This option is recommended when all network traffic is being routed through the VPN connection to ensure security and privacy of your network connections.
Split DNS: Viscosity will setup your computer so your VPN DNS servers are only used for certain domains. Your computer's normal DNS server/s will be used for all other domains. For example if you have a VPN domain of "sparklabs.com", host names ending in this domain, for example, vpn.sparklabs.com, will be resolved by the VPN DNS server/s, while all other requests will be resolved by your usual DNS Servers. Split DNS is recommended when remotely connecting to work or enterprise networks.
Disable: Viscosity will setup your computer so your VPN DNS settings are not used.
If you are unsure what DNS mode your VPN connection is using, the connection log can be checked.
DNS Security
If you use Viscosity to ensure your security privacy on untrusted networks, you should make sure you are using Full DNS mode and specified a VPN DNS server to use while connected. If you do not have a VPN server specified your computer may try and automatically use a DNS server on the network you are connected to, rather than access one through the VPN connection. This means an attacker could potentially identify what websites/servers you are contacting, or redirect you to malicious websites, even if they can't view the actual network traffic. This is known as a DNS leak.
If you'd like to specify a DNS server to use, but you don't have a DNS server on the VPN network to use, you may like to use publicly available DNS servers:
- Cloudflare: 1.1.1.1, 1.0.0.1
- Google: 8.8.8.8, 8.8.4.4
- OpenDNS: 208.67.222.222, 208.67.220.220
In most cases your VPN provider will be remotely setting a DNS server for Viscosity to use. However if you are unsure, or are connecting to a OpenVPN server you have configured yourself, you should be aware of this issue.
Specifying DNS Servers In Viscosity
Viscosity allows you to specify DNS servers for each connection along with (optionally) corresponding DNS domains. This can be done easily like so:
- Open Viscosity's Preferences window
- Select your connection from the list and click the Edit button
- Click on the Networking tab
- Select the DNS mode to use. Automatic is the recommended mode. Please see the section below for more information about the available DNS modes.
- Enter your DNS server/s into the "DNS Servers" field. If you have more than one DNS server, separate each server using a space (" ") or a comma (",").
- Enter your DNS domains to use into the "Domains" field, or leave this field blank if you don't have any. Separate multiple domains with a space or comma.
- Click Save
Specifying WINS Servers In Viscosity
Viscosity also supports WINS servers. These must be set using the relevant OpenVPN command, rather than through the user interface, like so:
- Open Viscosity's Preferences window
- Select your connection from the list and click the Edit button
- Click on the Advanced tab
- Enter the command
"dhcp-option WINS x.x.x.x"
(without quotes) on a new line in the configuration command section. Replace x.x.x.x with the IP address of your WINS server. - If you have multiple WINS servers, repeat the above step for each server
- Click Save
Pushing DNS Settings From The Server
It's also possible to inform Viscosity of DNS servers, WINS server, and Domains to use from the server's end by "pushing" out the relevant "dhcp-option" commands. This has the advantage of allowing the VPN administrator to change these settings (if required) without having to manually update them in each copy of Viscosity.
Push DNS Servers
To push out DNS settings from the server, the following command can be entered into the OpenVPN configuration file. Replace x.x.x.x with the IP address of the DNS server to use. Multiple push commands can be used to push more than one DNS server.
push "dhcp-option DNS x.x.x.x"
Push DNS Domains
DNS search domains can also be pushed from the server using the following command. Replace example.com with the desired search domain to use. Multiple push commands can be used to push more than one domain.
push "dhcp-option DOMAIN example.com"
Push WINS Servers
WINS servers can be pushed out in a similar fashion to DNS servers. Replace x.x.x.x with the IP address of the WINS server to use. Multiple push commands can be used to push more than one WINS server.
push "dhcp-option WINS x.x.x.x"
Push DNS Mode
If the DNS mode in Viscosity is set to Automatic, the OpenVPN server can also push a DNS mode to use (either "full" or "split") using the following command:
push "dhcp-option DNSMODE full"
Ignore Pushed DNS Settings
In some instances you may want to ignore the DNS settings pushed by the VPN server. To enable this, tick the "Ignore DNS settings sent by VPN server" checkbox when editing your connection in Viscosity.
This option ignores any DNS Servers, Domains or WINS Servers pushed by the VPN Server to your computer. Only options you define in your configuration will be used. Enabling this option and not defining any DNS Servers will setup your connection equivalent to the Disable DNS mode.
Pushing DNS Settings Using DHCP
Viscosity also supports DNS settings being assigned via both DHCP and DHCPv6 for TAP (bridged) connections. These can be specified via standard DHCP options, including DNS server/s (option 6 and option 23), DNS domains (option 15 and option 24), and WINS server/s (Option 44).
Checking Which DNS Servers Are Being Used
The following instructions allow you to determine what DNS servers your computer is using. You can follow these instructions while your VPN connection is active to determine what DNS servers are being set (if any) by the remote VPN server, or to check that your DNS servers (and domains) are being correctly set when the VPN connection is activated.
Mac
- Open the Terminal application. This can be found at /Applications/Utilities/Terminal.app
- Enter the following command into the window that appears, and then press Return or Enter on your keyboard.
scutil --dns
- Your computer's DNS settings should be displayed (you may have to scroll upwards to view the start).
- The output will be split into two sections:
DNS configuration: This section lists your global DNS settings, with your computer's primary DNS settings listed under "resolver #1". The "nameserver" entries are your DNS servers. The DNS servers listed here will be used by default, and should match your VPN DNS servers when using Full DNS (but not when using Split DNS). All DNS search domains known to the computer will be listed here, including both local and VPN domains.
DNS configuration (for scoped queries): This section lists your computer's Split DNS settings. For each "resolver" entry there should be a DNS domain ("search domain") and the DNS server/s ("nameserver") that will be used for resolving that domain. When using Split DNS you should see an entry for each DNS domain you're using, with your VPN DNS server listed. - Quit Terminal from the File menu when finished
Windows
- Open a command prompt. This can by found by going to Start and searching for cmd
- Enter the following command into the window that appears, and then press Enter on your keyboard.
ipconfig -all
- Details for each adapter/interface on your PC are displayed. The DNS Servers field lists the DNS servers available for each adapter. This field lists both IPv4 and IPv6 DNS Servers. If your DNS Servers are listed as fd53:7061:726b:4c61:6273:5669:7344:4exx or 127.56.49.53, the Viscosity DNS system may be handling DNS for you (for example, for split DNS). Check the log for more information.
Looking Up Or Testing A Domain Name
The following instructions will allow you to manually lookup the IP address of a domain name. This is a good way to test that your DNS servers and search domain settings (if appropriate) are working correctly:
Mac
- Open the Terminal application. This can be found at /Applications/Utilities/Terminal.app
- Enter the following command into the window that appears, replacing "www.sparklabs.com" with the domain name you wish to look up. Press Return or Enter on your keyboard.
dscacheutil -q host -a name www.sparklabs.com
- If the domain was able to be resolved you should see the IP address (or addresses) listed. If the output is blank the domain name could not be resolved.
- Quit Terminal from the File menu when finished
Windows
- Open a command prompt. This can by found by going to Start and searching for cmd
- Enter the following command into the window that appears, replacing www.sparklabs.com with the domain name you wish to look up, ensuring the address ends with a period (.). Press Enter on your keyboard.
nslookup www.sparklabs.com.
- If the domain was able to be resolved you should see the IP address (or addresses) listed, plus the DNS Server which resolved the request. If the domain could not be resolved, you will see an error as to why.
Reserved Domains
The .local domain is reserved for use by mDNS (Bonjour’s Multicast Domain Name Service) and shouldn't be used as a DNS domain for a VPN connection. Attempting to use it (or any subdomains of it) as a DNS domain will break mDNS lookups, may result in DNS lookups failing, and can result in Split DNS lookups failing to use the correct DNS server.
For further information, as well as recommended alternatives to using .local, please refer to Apple's Apple devices might not open your internal network’s ‘.local’ domain support document.
Web Browsers With Custom DNS Settings
By default modern web browsers, including Safari, Edge, Chrome, and Firefox, will use the DNS settings and framework of the operating system it is running on. This ensures that they will correctly use the VPN DNS settings, including when using Split DNS.
However some web browsers, such as Chrome and Firefox, can be manually configured to ignore the computer's DNS settings and instead use internal DNS-over-HTTPS (DoH) DNS servers. This will cause any VPN DNS settings to be ignored. This is of particular importance when trying to access internal resources on a Split DNS VPN network, which will not function correctly with such a setup.
If you're finding VPN DNS lookups are not working correctly when using Chrome or Firefox (but otherwise working from other applications), check their DNS/DoH settings and if necessary change them back to their default settings. In most instances this will not fully disable DoH, but rather make them intelligently respect the local Split DNS settings.
For more information please see the Chrome documentation or the Firefox documentation.
Notes for Linux/Unix Users
Linux/Unix users may be familiar with the resolv.conf file for configuring DNS servers, however this is not used by macOS. macOS instead has a powerful resolver system as part of the System Configuration framework. While a resolv.conf is present, macOS will automatically create a simplified version based upon the resolver system's settings for backwards compatibly with legacy Unix programs.
There are less than a handful of legacy Unix programs on the Mac that don't use macOS's resolver system and instead use the resolv.conf file, namely nslookup, dig, and host. Due to this both the resolv.conf file and these commands won't actually give you an accurate picture of what your Mac is doing.
Modern command line tools like "scutil" and "dscacheutil" (as illustrated in the previous sections) should be used to look up DNS records as macOS sees them.
Apple offers the following warning:
The nslookup command does not use the host name and address resolution or the DNS query routing mechanisms used by other processes running on macOS. The results of name or address queries printed by nslookup may differ from those found by other processes that use the macOS native name and address resolution mechanisms. The results of DNS queries may also differ from queries that use the macOS DNS routing library.