Home › Forums › OS X Server and Client Discussion › DNS › Using VPN provided DNS Servers on Snow Leopard built-in PPTP VPN Client
I’ve got an issue where Snow Leopard (10.6.2) refuses to use the VPN supplied DNS servers.
I am connecting to a PPTP VPN Server, and when I go into the Network prefpane, I can see (in grey) the DNS server that the VPN server is providing, but it’s not included in /etc/resolv.conf and it’s not used for name resolution.
The issue that then occurs is if I connect to the VPN, I can’t access server.example.internal by name, but it works perfectly via IP.
Running a DNS lookup against the name server on the VPN works. If I manually add the IP of the internal DNS server to the active network interface (Ethernet or AirPort, as appropriate) then DNS lookups work.
If I set the service order so that the VPN network interface is above the other network interfaces, it still doesn’t honour the DNS settings.
I have tried creating a file /etc/resolver/example.internal with the following contents:
nameserver 10.0.10.10
domain example.internal
port 53
According to the man pages, this is supposed to force the use of the nameserver 10.0.10.10 for all queries relating to the domain example.internal – however this doesn’t seem to work either.
Has anyone else experienced similar issues and if so worked out how to fix it?
Cheers,
Kai
What kind of server are you connecting to? Apple’s racoon configs are setup to work primarily with Apple’s VPNs.
I’m connecting to a McAfee UTM SG310 or SG560 (Used to be Secure Computing, they were bought by McAfee)
The reason I’m doing it this way is that these units have proven to be more reliable than the VPN server in Mac OS X, and when connected to a VPN hosted by the firewall, I can reboot the server in question without getting dropped off the VPN.
This configuration works perfectly with Mac OS X 10.5.x – I receive the DNS server from the VPN and the machine uses it if the VPN service is at the top of the list in the Network preferences. If it’s not, then my machine keeps using whatever DNS server it had prior to connecting to the VPN.
Under 10.6, I can see in the Network preferences that the VPN network interface has received the correct DNS server as it’s listed in grey, however the machine simply will not use it.
[QUOTE]Under 10.6, I can see in the Network preferences that the VPN network interface has received the correct DNS server as it’s listed in grey, however the machine simply will not use it.[/p][/QUOTE]
If the +trace option of dig confirms this, then I’d say try another client like VPNTracker.
[QUOTE][u]Quote by: khiltd[/u][p][QUOTE]Under 10.6, I can see in the Network preferences that the VPN network interface has received the correct DNS server as it’s listed in grey, however the machine simply will not use it.[/p][/QUOTE]
If the +trace option of dig confirms this, then I’d say try another client like VPNTracker. [/p][/QUOTE]
Well, when I connect to the VPN under 10.5, I can confirm that the DNS servers are correctly added to /etc/resolv.conf
When I connect to the VPN under 10.6, the DNS servers are not added to /etc/resolv.conf
It now seems that having a file in /etc/resolver/example.com is working for some tools, but not others.
If I run, say, host or dig, they are unable to look up server.example.com
If I ping server.example.com or go to http://server.example.com in Safari, it works. I can also connect to the server by name in the finder.
This is with a file /etc/resolver/example.com with the contents:
nameserver 10.0.1.10
domain example.com
port 53
I do find it strange that name resolution on Mac OS X can happen in a few different ways, and that host and dig don’t query the hosts file – it seems that they don’t query the resolver files either.
I don’t want to use VPN tracker as I try to minimise the use of 3rd party software wherever possible, and like to keep things as simple as possible for my clients…
[QUOTE][u]Quote by: kai[/u][p]
I don’t want to use VPN tracker as I try to minimise the use of 3rd party software wherever possible, and like to keep things as simple as possible for my clients…[/p][/QUOTE]
I can certainly appreciate the desire to minimize dependencies, but in this case, you’ve already introduced a 3rd party, and there is very little chance that any of Apple’s testing matrices are going to place McAffee compatibility at a very high priority at any point in the near future. At the very least, [i]trying[/i] a different client would tell you whether the issue you’re facing is more likely to be an Apple or a McAffee problem, regardless of whether or not you decide to deploy it as a permanent solution.
Here’s what I’ve found with the testing that I’ve done.
Mac OS X 10.5.x – works as expected. VPN supplied DNS servers are queried by the system.
Mac OS X 10.6.2 – DNS servers supplied by the VPN are not queried, unless the VPN service is the highest priority network service, in which case they are exclusively used. In addition, if the VPN is the highest service listed in System Preferences, all internet traffic is passed over the VPN.
Mac OS X 10.6.2 with entries in /etc/resolver – the entries in /etc/resolver are used by some utilities, including most of the system level DNS lookups. They are specifically not used by the host, dig or nslookup commands. If you, for instance, ping a server, it is able to have it’s name resolved.
I have created an AppleScript that makes it easy for me to distribute these settings to end users that are not using an SOE.
[code]set theDomainName to “example.internal”
set theNameServer to “10.0.10.10”
do shell script ”
if [ ! -d /etc/resolver ]; then
mkdir /etc/resolver
chown root:wheel /etc/resolver
chmod 755 resolver
fi
echo \”nameserver ” & theNameServer & ”
domain ” & theDomainName & ”
port 53\” > /etc/resolver/” & theDomainName & ”
” with administrator privileges
display dialog “DNS Configuration Updated.”
[/code]