DNS servers not used for name resolution (question)

[jonathannaguin]

Hello,

Is there any reason why the VPN Slice script wouldn't add the VPN DNS servers to the host for name resolution? At the moment, the DNS servers are only added to the /etc/hosts file and used for resolving only the domains provided as parameters. Although this generally works, I found some apps that ignore the /etc/hosts and fail when resolving internal DNS records. Modifying my resolv.conf fixes the issue but I would like to understand if this is something the script itself could do at start up time.

Thanks, Jonathan

[dlenski]

Is there any reason why the VPN Slice script wouldn't add the VPN DNS servers to the host for name resolution?

I think the rationale in the README explains it: https://github.com/dlenski/vpn-slice#introduction

If you are okay with any/all lookups going through your VPN's internal DNS servers, then you may not want to use vpn-slice at all. :man_shrugging:

A “fancier” vpn-slice would be possible (see https://github.com/dlenski/vpn-slice/issues?q=is%3Aissue+label%3Afancy-split-DNS).

This “fancier” version would support something like a --use-dns-only-for-own-domains option, in which dnsmasq or systemd-resolved is used to direct DNS queries to the VPN's servers’ only for its own domains. Without further integration, this fancier version would not play nicely with NetworkManager, which tries to do something similar, and I haven't needed it myself.

A well-thought out proposal and patches for how to implement this would be welcome. :)

Although this generally works, I found some apps that ignore the /etc/hosts and fail when resolving internal DNS records.

Hmm… really? What apps, and what OS? I've used vpn-slice in this configuration for several years on a couple different Linux distros, without issues. These programs must not be using the standard POSIXy gethostby* calls, which do follow /etc/hosts.

[jonathannaguin]

I still see value on using vpn-slice even if I send all DNS queries through the VPN connection as most of the normal traffic will go out directly. Also, the OS will cache those queries, which would help on avoiding hammering the VPN too much with DNS queries.

I was thinking on having a simple flag added to vpn-slice that, if enabled, would point the machine to VPN DNS servers, globally. It's not that "fancy" DNS feature but it's really simple and does not require of any third-party components like dnsmasq.

The app I was testing was NoMAD, for Mac and, to be honest, after using this script for weeks, it's the only app didn't like /etc/hosts.

[dlenski]

I was thinking on having a simple flag added to vpn-slice that, if enabled, would point the machine to VPN DNS servers, globally. It's not that "fancy" DNS feature but it's really simple and does not require of any third-party components like dnsmasq.

Yeah. That's reasonable. Unfortunately, even just a --use-vpn-dns-servers=globally would require different implementation on different OSes.

We'd need to pull in some of the OS-specific DNS-handling code from the “standard” vpnc-script (https://gitlab.com/openconnect/vpnc-scripts/-/blob/master/vpnc-script#L480-765) and create some sort of new DNSConfigProvider?

Want to take a crack at a pull-request to design, and implement it at least for macOS?

The app I was testing was NoMAD, for Mac and, to be honest, after using this script for weeks, it's the only app didn't like /etc/hosts.

Ah, that's quite an interesting case :ok_hand:. As I understand it, Windows/AD have done name resolution in a whole bunch of ridiculous/confusing/inconsistent/proprietary/undocumented ways. I don't know anything about NoMAD, but I wouldn't be surprised if it implements its own name resolution to try to mimic the behavior of Windows here.

[jonathannaguin]

Sure, will try to create a PR for this.

Thanks!

[luzik]

Love an idea to use vpn DNS only for specified domain

[rymek]

Resurrecting this a bit.

Would it be possible though to add a variable to use specified DNS server? I've set up unbound DNS server for split-horizon dns lookups and defined my zones there, but everytime i'm connecting with openconnect + vpn-slice I have to manually adjust DNSes (I mean not manually, i've set up locations on macos so it's quite fast switch) but it would be nice if there was an option like --use-dns=<> to provide a dns (possibly a list) to use when connecting.

[dlenski]

Would it be possible though to add a variable to use specified DNS server?

Patches welcome. :+1:

They'd need to capture most of the complex, messy, platform-variant behavior of the DNS updates from https://gitlab.com/openconnect/vpnc-scripts/blob/master/vpnc-script

[rymek]

If only I knew python .... ;)

[mschilli87]

@rymek:

If only I knew python

Python is a language with a low entrance hurdle. So the biggest issue to to find some motiviation to give it a try. You have that now. Try to read through the code, look for where DNS lookups are done (ask @dlenski for confirmation if you think you found it or direction if you can't find it - but make an effort first), read the documentation of the corresponding library/tool used for the lookup and give it a shot. Start with your platform only, make it work for you. There is no need to get a patch that works for everyone and is polished enough to make it into vpn-slice. You can simply keep your own fork where you regularly pull from the upstream repository and only apply your little patch on top. Others might chime in and add solutions for their platforms, probably your code will help them. Or maybe you end up having so much fun with this that you go down the rabbit whole and solve the whole thing. Just don't put any pressure on yourself but give it a try before you decide to give up. :wink:

[dlenski]

Well put, @mschilli87 … that's basically how this whole project started in the first place. :+1: :+1:

[onehalf3570]

If you are okay with any/all lookups going through your VPN's internal DNS servers, then you may not want to use vpn-slice at all. man_shrugging

Actually, having lookups go through VPN DNS servers, but having all the outside traffic go via the ISP connection is a good workaround until fancy-split-DNS is implemented.

But as I understand, there is no resolvconf support at the moment (or any other way of modifying resolv.conf), right?

I'll think how to port https://github.com/dlenski/vpn-slice/pull/72 solution to linux..

The global idea is to propagate the INTERNAL_IP4_DNS value(s) together with the hand-crafted list of vpn domains (--domains-vpn-dns) to dnsmasq config, right?

[onehalf3570]

Ok, so the dnsmasq and resolvconf parts turned out to be pretty straightforward: $cat /etc/resolvconf.conf

resolv_conf=/etc/resolv.conf name_servers=127.0.0.1 dnsmasq_conf=/etc/dnsmasq-conf.conf dnsmasq_resolv=/etc/dnsmasq-resolv.conf

private_interfaces="tun0"

$cat /etc/dnsmasq.conf resolv-file=/etc/dnsmasq-resolv.conf interface=lo no-dhcp-interface=lo bind-interfaces conf-file=/etc/dnsmasq-conf.conf

at the moment this works with manual addition of dns[01].tun0 servers via a shell script:

!/bin/sh

cat <<EOF | /usr/bin/resolvconf -a tun0 search internal1.corp.com internal2.corp.com nameserver 10.1.1.1 nameserver 10.2.2.2 EOF

So what is left is the integration of this script into vpn-slice and the propagation of the internal domains list from --domains-vpn-dns to the search-list

[onehalf3570]

PR with the Linux support https://github.com/dlenski/vpn-slice/pull/78