Force DNS Setting While DNSCrypt is Enabled?

381 views
Skip to first unread message

Nello Lucchesi

unread,
Jun 27, 2016, 11:17:58 AM6/27/16
to tunnelblick-discuss
I'm using DNSCrypt on my MacBook Air (MBA) running 10.11.5



DNSCrypt creates a DNS on my MBA at 127.0.0.54.  Apparently when Tunnelblick creates the VPN connection, it doesn't replace 127.0.0.54 with 10.10.49.1, the DNS used by my OpenVPN Server (and specified in Tunnelblick's script):

Retrieved from OpenVPN: name server(s) [ 10.10.49.1 ], search domain(s) [  ] and SMB server(s) [  ] and using default domain name [ openvpn ]

                                        WARNING: Ignoring ServerAddresses '10.10.49.1' because ServerAddresses was set manually

                                        Setting search domains to 'openvpn' because running under OS X 10.6 or higher and the search domains were not set manually and 'Prepend domain name to search domains' was not selected

                                        Saved the DNS and SMB configurations so they can be restored

                                        Did not change DNS ServerAddresses setting of '127.0.0.54' (but re-set it)

                                        Changed DNS SearchDomains setting from '' to 'openvpn'

                                        Changed DNS DomainName setting from 'attlocal.net' to 'openvpn'

                                        Did not change SMB NetBIOSName setting of ''

                                        Did not change SMB Workgroup setting of ''

                                        Did not change SMB WINSAddresses setting of ''

                                        DNS servers '127.0.0.54' were set manually

                                        DNS servers '127.0.0.54' will be used for DNS queries when the VPN is active

                                        NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.




Yes, Tunnelblick does uses the Server's DNS (10.10.49.1) when DNSCrypt is disabled.

Is there any way to force Tunnelblick to use the Server's DNS without disabling DNSCrypt?  (Disabling DNSCrypt isn't a big deal but it's something extra I have to remember to do.) 

Thank you for your help.

- nello


jkbull...gmail.com

unread,
Jun 27, 2016, 12:46:11 PM6/27/16
to tunnelblick-discuss
As you have seen, Tunnelblick will not modify the DNS settings if they were set manually.

The easiest way to do what you want is probably to create two scripts to be used by Tunnelblick:
  1. A "pre-connect.sh" script that sets DNS to use DHCP before connecting to the VPN, and
  2. A "post-disconnect.sh" script to restore the manual settings after disconnecting from the VPN.
You would put the scripts into the Tunnelblick VPN Configuration. They would be run as root automatically whenever you connected the VPN.

For more info on these scripts, see Using Scripts.

For more info on making DNS changes, see Apple's networksetup man page. I think you want to use the "-setdnsservers" subcommand. I'm not sure how you would tell OS X to get DNS settings via DHCP; perhaps all you do is remove all the manual DNS servers.

If you end up doing this (or solve the problem some other way), please post here. And contribute any scripts you create so they can be put in the User Contributions section of Tunnelblick's Downloads page.

Nello Lucchesi

unread,
Jun 27, 2016, 4:03:54 PM6/27/16
to tunnelblick-discuss
On Monday, June 27, 2016 at 11:46:11 AM UTC-5, jkbull...gmail.com wrote:
As you have seen, Tunnelblick will not modify the DNS settings if they were set manually.

The easiest way to do what you want is probably to create two scripts to be used by Tunnelblick:
  1. A "pre-connect.sh" script that sets DNS to use DHCP before connecting to the VPN, and
  2. A "post-disconnect.sh" script to restore the manual settings after disconnecting from the VPN

Thank you for your reply, which very clearly laid out an approach to solving my little inconvenience. 

I looked around for a way to script DNSCrypt and this is all I found:


Do you know of any example scripts or more-complete documentation?

Regardless, thank you again for your thoughtful response.

- nello

jkbull...gmail.com

unread,
Jun 27, 2016, 4:06:03 PM6/27/16
to tunnelblick-discuss
Sorry, I don't know anything about DNSCrypt scripting.

Nello Lucchesi

unread,
Jun 27, 2016, 8:03:23 PM6/27/16
to tunnelblick-discuss
On Monday, June 27, 2016 at 11:46:11 AM UTC-5, jkbull...gmail.com wrote:

<-- snip -->

If you end up doing this (or solve the problem some other way), please post here. 


The script below will disable DNSCrypt.  

Unfortunately, I'm not much of a scripter and am stuck on how to re-enable DNSCrypt.  Ideally, I'd save the value of the DNS Server(s) before removing them.  How can I save this value and have it available to a script that sets the DNS Server(s) with this saved value?  I don't know how to persist variable values across script executions.  :-(

- nello

#!/bin/bash
# ****************************************************************************************
# *  Remove/Replace local DNS
# *
# *   
# ****************************************************************************************
#
# Current network service
networkService=""
#
getCurrrentNetworkService() {
#
# Modeled on example at:
services=$(networksetup -listnetworkserviceorder | grep 'Hardware Port')
while read line; do
sname=$(echo $line | awk -F  "(, )|(: )|[)]" '{print $2}')
sdev=$(echo $line | awk -F  "(, )|(: )|[)]" '{print $4}')
#echo "Current service: $sname, $sdev, $currentservice"
if [ -n "$sdev" ]; then
ifconfig $sdev 2>/dev/null | grep 'status: active' > /dev/null 2>&1
rc="$?"
if [ "$rc" -eq 0 ]; then
networkService="$sname"
return 0
fi
fi
done <<< "$(echo "$services")"
return 1
}
#
#
getCurrrentNetworkService
returnCode="$?"
if [[ $returnCode -ne 0 ]] 
then
echo "getCurrrentNetworkService() did NOT find current network service"
exit 1
else
echo "networkService=\"$networkService\""
dnsServers=$( networksetup -getdnsservers "$networkService" )
echo "dnsServers=\"$dnsServers\"" 
eval ( networksetup -setdnsservers $dnsServers empty )
fi


   

jkbull...gmail.com

unread,
Jun 27, 2016, 8:09:46 PM6/27/16
to tunnelblick-discuss


On Monday, June 27, 2016 at 8:03:23 PM UTC-4, Nello Lucchesi wrote:
On Monday, June 27, 2016 at 11:46:11 AM UTC-5, jkbull...gmail.com wrote:
Unfortunately, I'm not much of a scripter and am stuck on how to re-enable DNSCrypt.  Ideally, I'd save the value of the DNS Server(s) before removing them.  How can I save this value and have it available to a script that sets the DNS Server(s) with this saved value?  I don't know how to persist variable values across script executions.  :-(

You can persist variable values across script executions by saving the values in files. (Not elegant, but it works). So in pre-connect.sh, you could

echo "dnsServers" > "/tmp/my-dnscrypt-servers"

and then in post-disconnect script get it back with

dnsServers="$(cat "/tmp/my-dnscrypt-servers")"

Good luck!

Nello Lucchesi

unread,
Jun 27, 2016, 8:13:05 PM6/27/16
to tunnelblick-discuss
On Monday, June 27, 2016 at 11:46:11 AM UTC-5, jkbull...gmail.com wrote:


If you end up doing this (or solve the problem some other way), please post here. 


It turns out that the scripts are trivial and already part of DNSCrypt for OSX:


/Library/Application Support/DNSCrypt/control/dnscrypt/switch-to-dnscrypt.sh
/Library/Application Support/DNSCrypt/control/dnscrypt/ switch-to-dhcp.sh

jkbull...gmail.com

unread,
Jun 27, 2016, 8:15:08 PM6/27/16
to tunnelblick-discuss
Cool! You can just rename the scripts and copy them into your .tblk.
Reply all
Reply to author
Forward
0 new messages