Experimenting with "Set nameserver" options

1,133 views
Skip to first unread message

earl...@yahoo.ca

unread,
May 15, 2016, 11:04:21 AM5/15/16
to tunnelblick-discuss
Tunnelblick has been working well for me for connecting to the corporate VPN. The ability to keep non-corporate traffic out of the VPN is an important feature.

I recently gave the matter more thought, and realised that while traffic might be segregated, DNS lookups might not be.

I am running OSX Yosemite 10.10.5 and Tunnelblick 3.5.8 (build 4270.4530).

To experiment I used the following to flush the DNS cache:

        dscacheutil -flushcache
        sudo killall -HUP mDNSResponder

Then watch the physical interface (not Tunnelblick) for DNS activity:

        sudo tcpdump -i en0 port 53

Then ping a target in the public internet (www.google.com) vs a target in the corporate network.

So, for my configuration only "Set nameserver" and "Set nameserver (3.0b10)" are in any way usable, and "Set nameserver (3.0b10)" allows me to split the DNS queries along the same lines that the traffic is split.


I have two questions:


  1. It seems that "Set nameserver (3.1)" and "Set nameserver (alternate 1)" do not work for sites on the public internet. Is that expected?
  2. Is there some documentation that clearly describes what each of these configuration options seeks to achieve?

jkbull...gmail.com

unread,
May 15, 2016, 12:18:53 PM5/15/16
to tunnelblick-discuss, earl...@yahoo.ca
Thanks for your observations.

First, note that "ping" and some other commands on OS X do not use the standard name resolution that almost all other parts of OS X uses, so you should be careful in interpreting your results. A better test would be to browse to a website using Safari.

The only DNS/WINS settings that are at all "supported" (to the extent that they are) are "Do not set nameserver" and "Set nameserver". The other settings are older or alternate versions that are being kept available for backward compatibility and because they are useful for certain uncommon situations.

The goal of the "Set nameserver" setting is to deal with DNS/WINS settings "correctly" for the most common networking situations without requiring additional configuration by the user. There are many different ways networks can be configured, and different people have different goals (and different VPN admins have different goals, too), so it doesn't handle all situations. The general idea is that it should do what is reasonable if the VPN specifies DNS servers to use.

All of the "Set..." settings use bash scripts for OpenVPN's; "up" and "down" functions to manage DNS and other network settings. There isn't any documentation other than the scripts themselves and some vague language in a couple of places in the Tunnelblick Documentation such as The "Set Nameserver" Check Box and DNS & WINS Settings.

The settings and their corresponding scripts are:


All of the scripts are located in the /Applications/Tunnelblick.app/Contents/Resources folder.

Contributions to the "Set nameserver" script or new scripts using different approaches would be appreciated. You can post them here, contact the developers at devel...@tunnelblick.net, or make a pull request to the Tunnelblick GitHub repository.

Earl Chew

unread,
May 15, 2016, 1:47:21 PM5/15/16
to jkbull...gmail.com, tunnelblick-discuss
Thanks for the advice.

A better test would be to browse to a website using Safari.

I repeated the tests using Firefox and Safari with similar results. For "Set nameserver (3.1)" and "Set nameserver (alternate 1)" I see DNS queries going out the physical interface, but the browser fails to connect to the public site.


The settings and their corresponding scripts are:


Ok. This is helpful.

Thanks.
Reply all
Reply to author
Forward
0 new messages