MacOS – DNS resolution works for nslookup but fails in browser while using openconnect

dnsmacosvpn

Trying to use openconnect to connect to Cisco Anyconnect VPN.

I just did brew install openconnect and use it from cmd line like this:

sudo openconnect –authgroup=VPN-SSL-GROUP -u FIRST_LAST@domain.com vpn.domain.com

Then I try to access resource.domain.com name from private network and get:

in Chrome: DNS_PROBE_FINISHED_NXDOMAIN
in Network Utility -> Lookup: resource.domain.com -> The operation couldn’t be completed. (kCFErrorDomainCFNetwork error 2.)

BUT it gets resolved when I use nslookup from command line:

nslookup resource.domain.com
Server:         10.66.0.1
Address:        10.66.0.1#53

Non-authoritative answer:
Name:    resource.domain.com
Address: 10.66.110.24

I decided to check the content of /ect/resolv.conf:

nameserver 10.66.0.1
nameserver 10.66.0.2
nameserver 192.168.100.1 # (this is the DNS address of my home router)

and see that required DNS addresses used by nslookup are in place. (If I use resolved address in browser, I successfully access private resource, so routing works fine)

I googled a bit and learned that DNS resolution works not the way I can expect from Linux. There is a scutil utility which can help to manage actual DNS settings.

Here is a list of my DNS settings which I can see in scutil:

> list .*DNS
  subKey [0] = Setup:/Network/Service/47AA11B0-4713-41EF-B532-FC580ACD3E75/DNS
  subKey [1] = State:/Network/Global/DNS
  subKey [2] = State:/Network/MulticastDNS
  subKey [3] = State:/Network/PrivateDNS
  subKey [4] = State:/Network/Service/47AA11B0-4713-41EF-B532-FC580ACD3E75/DNS
  subKey [5] = State:/Network/Service/utun1/DNS # (this one appears when I am connected using openconnect)

The content of State:/Network/Global/DNS and State:/Network/Service/47AA11B0-4713-41EF-B532-FC580ACD3E75/DNS keys match and is equal to:

<dictionary> {
  ServerAddresses : <array> {
    0 : 10.66.0.1
    1 : 10.66.0.2
    2 : 192.168.100.1
  }
}

The content of State:/Network/Service/utun1/DNS (which only exists after openconnect established connection) is:

<dictionary> {
  DomainName : location.domain.com
  SearchDomains : <array> {
    0 : location.domain.com
  }
  ServerAddresses : <array> {
    0 : 10.66.0.1
    1 : 10.66.0.2
  }
  SupplementalMatchDomains : <array> {
    0 : location.domain.com
  }
}

The other dns-related keys are empty.

I also tried to go Preferences -> Network -> my Wy-Fi connection -> Advanced and set DNS addresses manually. Still does not work.

And I also learned about vpnc-script for openconnect. I found it already existed on my machine and tried to specify it explicitly:
--script /usr/local/etc/vpnc-script but it did not help to resolve private domains.

From what I see in scutil it seems to be properly configured, but for some reasons DNS resolution does not work. Any ideas why? What else I can check and try?

Best Answer

Thanks to this answer: https://superuser.com/a/86245/356729

The command

networksetup -setdnsservers Wi-Fi 10.66.0.1, 10.66.0.2

solved the problem. When I disconnect, I also have to manually restore settings using:

networksetup -setdnsservers Wi-Fi 192.168.100.1

Related Solutions

MacOS – Do /etc/resolver/ files work in Mountain Lion for DNS resolution

This question seems a bit old, but I'm going to answer it anyways as I had a similar problem:

Yes, this works.

Your first problem is that you obviously have the wrong IP (8.8.8.8 instead of 203.12.160.35) in /etc/resolver/apple.com. Verify that the contents of this file is really:

nameserver 203.12.160.35

Then scutil --dns should have an entry like this:

resolver #8
  domain   : apple.com
  nameserver[0] : 203.12.160.35

The second problem is that you tried to verify it using nslookup which does not use the DNS resolution mechanisms of OS X. If you look at the man page of nslookup you will find this:

Mac OS X NOTICE
   The nslookup command does not use the host name and address resolution or the DNS 
   query routing mechanisms used by other processes running on Mac OS X.  The results of 
   name or address queries printed by nslookup may differ from those found by other
   processes that use the Mac OS X native name and address resolution mechanisms. The 
   results of DNS queries may also differ from queries that use the Mac OS X DNS routing 
   library.

To check your DNS config you could do

dns-sd -G v4 images.apple.com

and verify if it yields the same IP as

nslookup images.apple.com 203.12.160.35

MacOS – Mountain Lion VPN fails to connect but works on Windows VM

It seems odd that your machine is attempting to use aggressive-mode in phase 1 of the IPSec connection. From what I can see, the default in 10.8.5 is to use main-mode. I'm wondering if you've modified the file at /etc/racoon/racoon.conf in trying to get this working? Can you post the contents of the file at /etc/racoon/racoon.conf?

Alternately, it may be possible to duplicate the configuration file that the L2TP/IPSec connection in System Preferences is using, and modify it slightly (configure to use main-mode) to see if that helps. Unfortunately, that configuration file is created at connect time, and is copied into /var/run/racoon/fqdn.of.host.conf. This file is also readable only by root (to protect the PSK that's stored inside of it). If you're quick, you can prepare a Terminal command that will copy that config file, initiate the VPN connection from System Preferences or the menu bar, and perform the copy command while the VPN is attempting to connect (you may have 5-10 seconds to perform the copy). Here's the command that you'd run right after initiating the VPN connection:

sudo cp -Rp /var/run/racoon/vpn.aec.com.br ~/Desktop

That file has permissions that disallow users from reading it. Use the command to make it readable:

sudo chmod 777 ~/Desktop/vpn.aec.com.br

NOTE: the file that you've copied onto the Desktop contains your PSK. You should not post this file (unmodified) to this website. If you would like to post this configuration file for troubleshooting, obfuscate the value of shared_secret before posting.

You can configure the VPN connection to use main-mode by modifying the configuration file that you've copied onto your Desktop. Open that file in any text editor, and locate the line that says exchange_mode. You may find that it says something like:

exchange_mode aggressive;

If so, see if you can change it so that it uses main-mode:

exchange_mode main;

Next, disable the built-in launchd script that launches racoon normally:

sudo launchctl unload /System/Library/LaunchDaemons/com.apple.racoon.plist

Then, you can temporarily launch racoon, and instruct it to use the configuration file that you exported:

sudo racoon -f ~/Desktop/vpn.aec.com.br -l /var/log/racoon.log

The racoon process will run in the background using the configuration file that you copied onto the Desktop. The process will also output to /var/log/racoon.log Next, you can initiate a VPN connection using racoonctl:

sudo racoonctl vpn-connect vpn.aec.com.br

The VPN menubar item will not update while this process is connecting. However, you should see output in /var/log/system.log and in /var/log/racoon.log that reflects the fact that the IPSec Phase 1 connection is moving along (i.e., Main Mode Message 2, 3, 4, etc.). If you see that the machine is able to establish the IPSec tunnel (look for "IPSec Phase1 established" in system.log), you're likely having problems with the exchange_mode that's configured.

How to undo this configuration

To put things back to the way that they were, you can disconnect (if the connection was successful) and then terminate the racoon process that's running:

sudo racoonctl vpn-disconnect

sudo killall racoon

Then, re-load the launchd config for racoon:

sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.racoon.plist

How to make this configuration permanent

If the racoon configuration file that you used in the tests above seems to be allowing phase 1 to complete, you can configure racoon to use that config file in the future:

Copy the config file that is on your Desktop into the folder /etc/racoon:

sudo cp ~/Desktop/vpn.aec.com.br.conf /etc/racoon/vpn.aec.com.br.conf

Make sure to secure the permissions on that file:

sudo chmod 600 /etc/racoon/vpn.aec.com.br.conf

Comment out the last line of the file at /etc/racoon/racoon.conf, and add a line that will load the configuration that you copied to /etc/racoon in the step above:

include "/var/run/racoon/*.conf" ;

Should be changed to:

#include "/var/run/racoon/*.conf" ;
include "/etc/racoon/vpn.aec.com.br.conf" ;

After you've made this change, you can save the file and attempt the VPN connection again from the menu bar.

Best Answer

Related Solutions

MacOS – Do /etc/resolver/ files work in Mountain Lion for DNS resolution

MacOS – Mountain Lion VPN fails to connect but works on Windows VM

Related Question