.local domain behind VPN

[wei...@soe.ucsc.edu]

Greetings All,

I guess this is kind of a feature request more than anything...  So, for a very, very long time now (like 10 years or something) we have had our firewalled private network set up with an internal domain suffix of ".local".  As many of you probably know, Apple uses ".local" for Bonjour and mDNS services, and as such, when our Mac users are connected to our VPN service (with Tunnelblick) they cannot resolve hosts with the .local domain suffix inside our network, as the Mac itself tries to resolve those locally on the Mac without looking at the inserted DNS server from the OpenVPN push-config.

What I'm gleaning is that if you put a file in /etc/resolver/ on your Mac, called vpn.local for example, that you can get around this.  For reference:

http://blog.scottlowe.org/2006/01/04/mac-os-x-and-local-domains/

What I'm wondering here is if it's possible for Tunnelblick to "notice" when the VPN pushed DNS search domain is ".local" and as a result configure the Mac, *when Tunnelblick is connected*, to look up .local domains correctly.  i.e. search the VPN-pushed name servers first for .local, then search localhost as needed for Bonjour, mDNS, etc.

A bunch of people have complained about this on the Internet in general.  I understand it's not a Tunnelblick shortcoming, rather, that Apple and the mDNS folks chose .local as a standard and that consequently broke some search domains for folks who were using .local prior to that.  I'd change our domain name, but the network is way too large to make that a real possibility.

Thanks so much for your consideration!!  And thanks for such a wonderful OpenVPN client.

cheers,

erich 

[jkbull...gmail.com]

To do the setup/teardown of the special DNS info, you could create a "connected.sh" script and a "post-disconnect.sh" script to create and destroy the file the file and flush DNS. These scripts, when in a Tunnelblick VPN Configuration (a ".tblk"), will be executed by Tunnelblick as root after a VPN connection is made and after it is taken down.

See Tunnelblick VPN Configuration scripts for details.

Within the script, you could check that the search domain is .local and only do the work if it is.

Take a look at Tunnelblick's up/down scripts (/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh and client.down.tunnelblick.sh) to see how to get the domain search info and how to flush DNS.

I can't see adding this to Tunnelblick when it is needed by only a few people and has a reasonably straightforward work around.