DNS resolution order on Mac/Viscosity

Got a problem with Viscosity or need help? Ask here!

henrikk

Posts: 14
Joined: Wed Apr 03, 2013 6:18 am

Post by henrikk » Mon Apr 29, 2013 1:06 pm
I am having a OpenVPN/Viscosity configuration issue with DNS I am not able to resolve. Maybe there is a simple solution. Here is the problem. I connect to my local network and the router, running Dnsmasq, forwards the DNS requests to OpenDNS servers. Pretty standard setup. In my case, however, the router Dnsmasq also resolves local domain hostnames. So when I access
Code: Select all
ping mach1.local
ping mach2.local
this resolves to hosts inside my .local network. Non .local hosts get forwarded to the OpenDNS servers.

When I connect to an OpenVPN server (which I control) using Viscosity (tun/udp). The server is configured to force all traffic through the OpenVPN server and pushes out these options:
Code: Select all
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
When Viscosity(1.4.4b5) connects the options are received and it works in the sense that traffic gets routed through the VPN server. On the Viscosity client I:
Code: Select all
Apply DNS settings simultaneously
Enable DNS support (nothing in the DNS servers and DOMAINS text boxes)
Send all traffic over VPN is *not* checked
I have to check "Enable DNS support" even though I push this option out on the server. Still, it works and DNS resolves as follows:
Code: Select all
DNS configuration (for scoped queries)

resolver #1
  search domain[0] : local
  nameserver[0] : 192.168.9.1
  if_index : 4 (en0)
  flags    : Scoped
  reach    : Reachable,Directly Reachable Address

resolver #2
  search domain[0] : tun0.viscosity
  nameserver[0] : 208.67.222.222
  nameserver[1] : 208.67.220.220
  if_index : 6 (tun0)
  flags    : Scoped
  reach    : Reachable,Transient Connection
Here then is my problem. Everything works except I have a DNS leak I do not know how to fix. All my DNS queries are routed to the local router which then forwards the DNS queries to the OpenDNS server outside the VPN tunnel I created. DNS queries are not routed through the tunnel.

I realize I can not "Apply DNS settings simultaneously" in which case the local DNS would not be consulted, but then my .local DNS resolution fails. In a similar spirit, I can set the DNS servers on my Mac network panel to the OpenDNS DNS servers and this would route all requests to the tunnel and bypass the local router, but in that case I also do not have .local name resolution. I want all DNS requests that are not .local to go to the VPN tunnel. How do I do this? I think if I could switch the order of the DNS servers (that is, make resolver #2 first on the list of consulted DNS servers) then (maybe?) this would solve the problem. I am not sure, because I do not know how to force the order of the DNS servers so I cannot test this.

Any solutions to this issue? I am hoping there is something simple I missed.

- Henrik

James

User avatar
Posts: 1985
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Wed May 01, 2013 6:55 am
Hi Henrik,

The simultaneous option works using search domains: i.e. you can enter domains to be associated with the VPN connection. Whenever one of these (or a subdomain) are attempted to be accessed the VPN's DNS server/s will be used.

It sounds like you're trying to do the opposite: you want everything to go through the VPN connection, except for local domains. You could try turning off Viscosity's simultaneous DNS option and add .local as a search domain to Mac OS X's network settings for your local network, but I think Mac OS X will still likely ignore this (or Viscosity will overwrite it). You'll most likely need to make use of Mac OS X's
/etc/resolver/ directory to send requests for .local domains to your local DNS server. The following webpages have some information for how to do this:
http://hints.macworld.com/article.php?s ... 2902195410
http://apple.stackexchange.com/question ... resolution

Cheers,
James
James Bekkema
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

henrikk

Posts: 14
Joined: Wed Apr 03, 2013 6:18 am

Post by henrikk » Thu May 02, 2013 12:24 am
Thank you James for your reply and those links. They will get me started.

- Henrik
3 posts Page 1 of 1