search

eduvpn / apple

app for iOS and macOS
Other
60 stars 18 forks source link

No support for "match domains" to send queries to right resolvers #496

Open ghost opened 1 year ago

ghost commented 1 year ago

Scenario:

  1. Have a VPN that uses "split tunnel", i.e. not all traffic goes over VPN
  2. "Scoped" DNS that requires DNS queries to some domains to go over the VPNs DNS server

In the client configuration file, you can configure this like this:

[Interface]
DNS = 192.168.1.5,example.org,example.com
...

[Peer]
AllowedIPs = 192.168.1.0/24, ....

This means that all DNS queries that are for the *.example.org or *.example.com domain MUST go to the 192.168.1.5 DNS server. All queries for other domains should go to the DNS resolver that was configured on the system before the VPN got up, i.e. the one provided by WiFi network or ethernet. On macOS all queries go to the 192.168.1.5 server once connected, and not to the "system" DNS any longer.

On Linux (NetworkManager) it works exactly like it should. On Windows, a query is sent to all DNS servers, which is technically not correct, but at least it works.

This is most likely an upstream WireGuard issue that should also be fixed there...

It seems scutil --dns shows it as being correctly configured.

roop commented 1 year ago

@fkooman: The hostnames in the DNS field in the wg-quick config are search domains, not match domains.

man wg-quick says:

DNS — a comma-separated list of IP (v4 or v6) addresses to be set as the interface's DNS servers, or non-IP hostnames to be set as the interface's DNS search domains.

To clarify search domains vs match domains: If we seat search domains as ["example.com"], it means that if we need to resolve "abc", the resolver should try to resolve "abc.example.com" first; If we set match domains as ["example.com"], it means only "example.com" and "*.example.com" queries should go to this resolver.

WireGuardKit (see PacketTunnelSettingsGenerator.swift) sets the wg-quick DNS hostnames as search domains, consistent with the man page. It sets match domains as [""], which makes all queries go through the tunnel's DNS resolver first. I don't think there's a way to specify match domains in a wg-quick config.

ghost commented 1 year ago

Interesting! That makes a lot of sense.

I don't think there's a way to specify match domains in a wg-quick config.

Is this something that should be added (upstream)? It seems like an important feature to have so you are not leaking your DNS queries to all configured DNS servers?