Trouble with DNS search domains

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
JosA
OpenVpn Newbie
Posts: 2
Joined: Thu Sep 08, 2022 1:15 pm

Trouble with DNS search domains

Post by JosA » Fri Sep 09, 2022 1:27 pm

Hi,

OpenVPN Connect 3.3.6 for OSX.
OS: tested on both Big Sur and Monterey.

Currently I'm building a new OpenVPN environment using Netgate PFsense+ 22.05. We're having several types of VPN clients: Linux, OSX and Windows. On OSX we run into trouble with the OpenVPN Connect client.

From the configuration we push DNS search domains to the client:
---
push "dhcp-option DOMAIN mgmt.domain.com";
push "dhcp-option DOMAIN office.domain.com";
push "dhcp-option DOMAIN domain.com";
push "dhcp-option DOMAIN-SEARCH mgmt.domain.com";
push "dhcp-option DOMAIN-SEARCH office.domain.com";
push "dhcp-option DOMAIN-SEARCH domain.com";
---
This works fine for the Linux clients, I can do a ping to a server without using the FQDN, just the hostname is fine since the client searches mgmt.domain.com for example. When I add an extra push:
---
push "dhcp-option ADAPTER_DOMAIN_SUFFIX mgmt.domain.com";
---
that also doesn't help.

In the log of the client it looks alright:
---
DNS Servers:
172.20.5.50
172.20.5.51
Search Domains:
mgmt.domain.com
office.domain.com
domain.com
Adapter Domain Suffix: mgmt.domain.com
---

and also in the client log:
---
MacDNSAction: FLAGS=F RD=0 SO=5000 DNS=172.20.5.50,172.20.5.51 DOM=mgmt.domain.com,office.domain.com,domain.com ADS=mgmt.domain.com
---

It looks like all the info gets to the client correctly, but it just doesn't add the search-domains. Also, when I use 'scutil --dns' the nameservers are there, also with the domains, but the domain mgmt.domain.com isn't added to the domains to search. resolving works just fine with FQDN, but not with just the hostname.
---
DNS configuration

resolver #1
search domain[0] : fritz.box
nameserver[0] : 192.168.1.1
if_index : 14 (en0)
flags : Request A records, Request AAAA records
reach : 0x00020002 (Reachable,Directly Reachable Address)

resolver #2
domain : local
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300000

resolver #4
domain : mgmt.domain.com
nameserver[0] : 172.20.5.50
nameserver[1] : 172.20.5.51
flags : Supplemental, Request A records, Request AAAA records
reach : 0x00000002 (Reachable)
order : 101400

resolver #5
domain : office.domain.com
nameserver[0] : 172.20.5.50
nameserver[1] : 172.20.5.51
flags : Supplemental, Request A records, Request AAAA records
reach : 0x00000002 (Reachable)
order : 101401

resolver #6
domain : domain.com
nameserver[0] : 172.20.5.50
nameserver[1] : 172.20.5.51
flags : Supplemental, Request A records, Request AAAA records
reach : 0x00000002 (Reachable)
order : 101402
---

I've also tried to use a script after the connection is 'up', but it seems OpenVPN Connect doesn't support that. In the log it show up as an unused option.
When I add a search domain to the network-settings of OSX it works, but the disadvantage is that when VPN is not up, the search-domains are leaked to the nameserver which is in use when VPN is not in use. Somehow I don't want to leak those to Google DNS...

Is this a bug? Or is there a workaround? Or are we being stupid and doing something wrong?

Kind regards, Jos Andel

JosA
OpenVpn Newbie
Posts: 2
Joined: Thu Sep 08, 2022 1:15 pm

Re: Trouble with DNS search domains

Post by JosA » Wed Nov 02, 2022 10:37 am

Tested with the new OpenVPN Connect 3.4 client on Apple Silicon. This doesn't help, still no search-domains added :-(
Would be nice if @openvpn_inc could reply to this issue...

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Trouble with DNS search domains

Post by openvpn_inc » Thu Nov 03, 2022 2:23 am

Hi Jos,

I'm a part-time Mac user, but not really a Mac expert. It looks to me like your fritz.box server is first in line and is the one being consulted, without the search domains. Then your VPN resolvers are listed 3 times, each with a separate search domain.

My guess is that the queries never go to the VPN resolvers. That should be easy enough to test with a tcpdump(8) command.

I'll say also I am not a fan of search domains in general, especially not with multiple domains; you might think you're getting "host.two.example.net" when you lookup "host", but it could actually be "host.one.example.net" or even "host.three.example.net". I know, I know, a lot of users want them, but it is sloppy and could cause issues which are hard to troubleshoot. Yep, I'm a grumpy old man.

I think what you might need to do is check on the Mac side of things to see how to deprioritize your fritz.box DNS. Or perhaps entirely override it with VPN resolvers. That overriding is easy to do in our commercial Access Server software or OpenVPN Cloud service. I don't know how to do it on your Pfsense (nor even if it's possible.) Sorry.

regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply