Weird DNS Issues?

[bryce....@gmail.com]

I'm having some really weird DNS issues. My VPN pushes the Google Public DNS IPs (8.8.8.8 and 8.8.4.4) but I'm having trouble resolving IPs outside of Chrome. Google tells me that my public IP is the IP of my VPS. I'm able to load any websites fine, but other programs are not able to resolve any IPs. My IRC client is unable to resolve any domains and Mac's Network Utilities are unable to resolve any domains.

Trying to nslookup google.com gives:

Lookup has started…
google.com -> The operation couldn’t be completed. (kCFErrorDomainCFNetwork error 2.)

Pinging google.com gives:

Ping has started...

ping: cannot resolve google.com: Unknown host

Trying to look up Freenode on Xchat Azure gives:

Looking up irc.freenode.net
Unknown host. Maybe you misspelled it?

But I'm still able to view the freenode website in Chrome.

Tunnelbick Log:

*Tunnelblick: OS X 10.9.5; Tunnelblick 3.4beta36 (build 3945); Admin user

"Sanitized" condensed configuration file for /Users/<username>/Library/Application Support/Tunnelblick/Configurations/client.tblk:

client

dev tun

proto udp

remote example.com 1194

resolv-retry infinite

nobind

persist-key

persist-tun

ca ca.crt

cert bryce.crt

key bryce.key

ns-cert-type server

comp-lzo

verb 3

================================================================================

"Sanitized" full configuration file

##############################################

# Sample client-side OpenVPN 2.0 config file #

# for connecting to multi-client server.     #

#                                            #

# This configuration can be used by multiple #

# clients, however each client should have   #

# its own cert and key files.                #

#                                            #

# On Windows, you might want to rename this  #

# file so it has a .ovpn extension           #

##############################################

# Specify that we are a client and that we

# will be pulling certain config file directives

# from the server.

client

# Use the same setting as you are using on

# the server.

# On most systems, the VPN will not function

# unless you partially or fully disable

# the firewall for the TUN/TAP interface.

;dev tap

dev tun

# Windows needs the TAP-Win32 adapter name

# from the Network Connections panel

# if you have more than one.  On XP SP2,

# you may need to disable the firewall

# for the TAP adapter.

;dev-node MyTap

# Are we connecting to a TCP or

# UDP server?  Use the same setting as

# on the server.

;proto tcp

proto udp

# The hostname/IP and port of the server.

# You can have multiple remote entries

# to load balance between the servers.

remote example.com 1194

;remote my-server-2 1194

# Choose a random host from the remote

# list for load-balancing.  Otherwise

# try hosts in the order specified.

;remote-random

# Keep trying indefinitely to resolve the

# host name of the OpenVPN server.  Very useful

# on machines which are not permanently connected

# to the internet such as laptops.

resolv-retry infinite

# Most clients don't need to bind to

# a specific local port number.

nobind

# Downgrade privileges after initialization (non-Windows only)

;user nobody

;group nogroup

# Try to preserve some state across restarts.

persist-key

persist-tun

# If you are connecting through an

# HTTP proxy to reach the actual OpenVPN

# server, put the proxy server/IP and

# port number here.  See the man page

# if your proxy server requires

# authentication.

;http-proxy-retry # retry on connection failures

;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot

# of duplicate packets.  Set this flag

# to silence duplicate packet warnings.

;mute-replay-warnings

# SSL/TLS parms.

# See the server config file for more

# description.  It's best to use

# a separate .crt/.key file pair

# for each client.  A single ca

# file can be used for all clients.

ca ca.crt

cert bryce.crt

key bryce.key

# Verify server certificate by checking

# that the certicate has the nsCertType

# field set to "server".  This is an

# important precaution to protect against

# a potential attack discussed here:

#  http://openvpn.net/howto.html#mitm

#

# To use this feature, you will need to generate

# your server certificates with the nsCertType

# field set to "server".  The build-key-server

# script in the easy-rsa folder will do this.

ns-cert-type server

# If a tls-auth key is used on the server

# then every client must also have the key.

;tls-auth ta.key 1

# Select a cryptographic cipher.

# If the cipher option is used on the server

# then you must also specify it here.

;cipher x

# Enable compression on the VPN link.

# Don't enable this unless it is also

# enabled in the server config file.

comp-lzo

# Set log file verbosity.

verb 3

# Silence repeating messages

;mute 20

================================================================================

There are no unusual files in client.tblk

================================================================================

Configuration preferences:

useDNS = 1

-routeAllTrafficThroughVpn = 1

-lastConnectionSucceeded = 1

================================================================================

Wildcard preferences:

================================================================================

Program preferences:

launchAtNextLogin = 1

notOKToCheckThatIPAddressDidNotChangeAfterConnection = 0

askedUserIfOKToCheckThatIPAddressDidNotChangeAfterConnection = 1

tunnelblickVersionHistory = (

    "3.4beta36 (build 3945)"

)

lastLaunchTime = 433777362.872972

showConnectedDurations = 1

connectionWindowDisplayCriteria = showWhenConnecting

maxLogDisplaySize = 102400

lastConnectedDisplayName = client

installationUID (not shown)

keyboardShortcutIndex = 1

updateAutomatically = 1

updateCheckAutomatically = 1

updateSendProfileInfo = 1

NSWindow Frame SettingsSheetWindow = 296 74 829 424 0 0 1440 878 

NSWindow Frame ConnectingWindow = 525 519 389 187 0 0 1440 878 

detailsWindowFrameVersion = 3945

detailsWindowFrame = {{91, 251}, {920, 468}}

detailsWindowLeftFrame = {{0, 0}, {164, 350}}

leftNavSelectedDisplayName = client

haveDealtWithSparkle1dot5b6 = 1

haveDealtWithOldTunTapPreferences = 1

haveDealtWithOldLoginItem = 1

SUEnableAutomaticChecks = 1

SUFeedURL = https://www.tunnelblick.net/appcast-b.rss

SUScheduledCheckInterval = 86400

SUSendProfileInfo = 1

SUAutomaticallyUpdate = 1

SULastCheckTime = 2014-09-30 13:42:42 +0000

SULastProfileSubmissionDate = 2014-09-24 21:09:43 +0000

SUHasLaunchedBefore = 1

WebKitDefaultFontSize = 11

WebKitStandardFont = Lucida Grande

================================================================================

Tunnelblick Log:

2014-09-30 10:08:21 *Tunnelblick: OS X 10.9.5; Tunnelblick 3.4beta36 (build 3945)

2014-09-30 10:08:21 *Tunnelblick: Attempting connection with client using shadow copy; Set nameserver = 1; monitoring connection

2014-09-30 10:08:21 *Tunnelblick: openvpnstart start client.tblk 1337 1 0 1 0 17201 -ptADGNWradsgnw 2.2.1

2014-09-30 10:08:21 *Tunnelblick: openvpnstart starting OpenVPN

2014-09-30 10:08:21 *Tunnelblick: openvpnstart log:

     Tunnelblick: Loading tun-signed.kext

     Tunnelblick: 

     OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):

     

          /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.2.1/openvpn

          --daemon

          --log

          /Library/Application Support/Tunnelblick/Logs/-SUsers-S<username>-SLibrary-SApplication Support-STunnelblick-SConfigurations-Sclient.tblk-SContents-SResources-Sconfig.ovpn.1_0_1_0_17201.1337.openvpn.log

          --cd

          /Library/Application Support/Tunnelblick/Users/<username>/client.tblk/Contents/Resources

          --config

          /Library/Application Support/Tunnelblick/Users/<username>/client.tblk/Contents/Resources/config.ovpn

          --cd

          /Library/Application Support/Tunnelblick/Users/<username>/client.tblk/Contents/Resources

          --management

          127.0.0.1

          1337

          --management-query-passwords

          --management-hold

          --redirect-gateway

          def1

          --script-security

          2

          --up

          /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -f -ptADGNWradsgnw

          --down

          /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d -f -ptADGNWradsgnw

2014-09-30 10:08:21 *Tunnelblick: Established communication with OpenVPN

2014-09-30 10:08:21 OpenVPN 2.2.1 i386-apple-darwin [SSL] [LZO2] [PKCS11] [eurephia] built on Sep  1 2014

2014-09-30 10:08:21 MANAGEMENT: TCP Socket listening on 127.0.0.1:1337

2014-09-30 10:08:21 Need hold release from management interface, waiting...

2014-09-30 10:08:21 MANAGEMENT: Client connected from 127.0.0.1:1337

2014-09-30 10:08:21 MANAGEMENT: CMD 'pid'

2014-09-30 10:08:21 MANAGEMENT: CMD 'state on'

2014-09-30 10:08:21 MANAGEMENT: CMD 'state'

2014-09-30 10:08:21 MANAGEMENT: CMD 'bytecount 1'

2014-09-30 10:08:21 MANAGEMENT: CMD 'hold release'

2014-09-30 10:08:21 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2014-09-30 10:08:21 LZO compression initialized

2014-09-30 10:08:21 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]

2014-09-30 10:08:21 Socket Buffers: R=[196724->65536] S=[9216->65536]

2014-09-30 10:08:21 MANAGEMENT: >STATE:1412089701,RESOLVE,,,

2014-09-30 10:08:21 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]

2014-09-30 10:08:21 Local Options hash (VER=V4): '41690919'

2014-09-30 10:08:21 Expected Remote Options hash (VER=V4): '530fdded'

2014-09-30 10:08:21 UDPv4 link local: [undef]

2014-09-30 10:08:21 UDPv4 link remote: <VPS IP>:1194

2014-09-30 10:08:21 MANAGEMENT: >STATE:1412089701,WAIT,,,

2014-09-30 10:08:21 MANAGEMENT: >STATE:1412089701,AUTH,,,

2014-09-30 10:08:21 TLS: Initial packet from <VPS IP>:1194, sid=d60b15a7 6b4b73c1

2014-09-30 10:08:21 VERIFY OK: depth=1, /C=US/ST=WI/L=Appleton/O=SWWS_Industries_LLC/OU=N/A/CN=example.com/name=Bryce_Walther/emailAddress=br...@example.com

2014-09-30 10:08:21 VERIFY OK: nsCertType=SERVER

2014-09-30 10:08:21 VERIFY OK: depth=0, /C=US/ST=WI/L=Appleton/O=SWWS_Industries_LLC/OU=N/A/CN=example.com/name=Bryce_Walther/emailAddress=br...@example.com

2014-09-30 10:08:22 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key

2014-09-30 10:08:22 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

2014-09-30 10:08:22 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key

2014-09-30 10:08:22 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

2014-09-30 10:08:22 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA

2014-09-30 10:08:22 [example.com] Peer Connection Initiated with <VPS IP>:1194

2014-09-30 10:08:23 MANAGEMENT: >STATE:1412089703,GET_CONFIG,,,

2014-09-30 10:08:24 SENT CONTROL [example.com]: 'PUSH_REQUEST' (status=1)

2014-09-30 10:08:24 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'

2014-09-30 10:08:24 OPTIONS IMPORT: timers and/or timeouts modified

2014-09-30 10:08:24 OPTIONS IMPORT: --ifconfig/up options modified

2014-09-30 10:08:24 OPTIONS IMPORT: route options modified

2014-09-30 10:08:24 ROUTE default_gateway=10.5.128.1

2014-09-30 10:08:24 TUN/TAP device /dev/tun0 opened

2014-09-30 10:08:24 MANAGEMENT: >STATE:1412089704,ASSIGN_IP,,10.8.0.6,

2014-09-30 10:08:24 /sbin/ifconfig tun0 delete

                                        ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address

2014-09-30 10:08:24 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure

2014-09-30 10:08:24 /sbin/ifconfig tun0 10.8.0.6 10.8.0.5 mtu 1500 netmask 255.255.255.255 up

2014-09-30 10:08:24 /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -f -ptADGNWradsgnw tun0 1500 1542 10.8.0.6 10.8.0.5 init

                                        **********************************************

                                        Start of output from client.up.tunnelblick.sh

                                        No network configuration changes need to be made.

                                        Will NOT monitor for other network configuration changes.

                                        End of output from client.up.tunnelblick.sh

                                        **********************************************

2014-09-30 10:08:26 /sbin/route add -net <VPS IP> 10.5.128.1 255.255.255.255

                                        add net <VPS IP>: gateway 10.5.128.1

2014-09-30 10:08:26 /sbin/route add -net 0.0.0.0 10.8.0.5 128.0.0.0

                                        add net 0.0.0.0: gateway 10.8.0.5

2014-09-30 10:08:26 /sbin/route add -net 128.0.0.0 10.8.0.5 128.0.0.0

2014-09-30 10:08:26 *Tunnelblick: No 'connected.sh' script to execute

                                        add net 128.0.0.0: gateway 10.8.0.5

2014-09-30 10:08:26 MANAGEMENT: >STATE:1412089706,ADD_ROUTES,,,

2014-09-30 10:08:26 /sbin/route add -net 10.8.0.1 10.8.0.5 255.255.255.255

                                        add net 10.8.0.1: gateway 10.8.0.5

2014-09-30 10:08:26 Initialization Sequence Completed

2014-09-30 10:08:26 MANAGEMENT: >STATE:1412089706,CONNECTED,SUCCESS,10.8.0.6,<VPS IP>

2014-09-30 10:08:46 *Tunnelblick: This computer's apparent public IP address changed from 198.150.183.11 before connection to <VPS IP> after connection

2014-09-30 10:14:10 *Tunnelblick: Disconnecting; VPN Details… window disconnect button pressed

2014-09-30 10:14:10 *Tunnelblick: Disconnecting using 'kill'

2014-09-30 10:14:10 event_wait : Interrupted system call (code=4)

2014-09-30 10:14:10 TCP/UDP: Closing socket

2014-09-30 10:14:10 /sbin/route delete -net 10.8.0.1 10.8.0.5 255.255.255.255

                                        delete net 10.8.0.1: gateway 10.8.0.5

2014-09-30 10:14:10 /sbin/route delete -net <VPS IP> 10.5.128.1 255.255.255.255

                                        delete net <VPS IP>: gateway 10.5.128.1

2014-09-30 10:14:10 /sbin/route delete -net 0.0.0.0 10.8.0.5 128.0.0.0

                                        delete net 0.0.0.0: gateway 10.8.0.5

2014-09-30 10:14:10 /sbin/route delete -net 128.0.0.0 10.8.0.5 128.0.0.0

                                        delete net 128.0.0.0: gateway 10.8.0.5

2014-09-30 10:14:10 Closing TUN/TAP interface

2014-09-30 10:14:10 /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d -f -ptADGNWradsgnw tun0 1500 1542 10.8.0.6 10.8.0.5 init

                                        **********************************************

                                        Start of output from client.down.tunnelblick.sh

                                        WARNING: Not restoring DNS settings because no saved Tunnelblick DNS information was found.

                                        End of output from client.down.tunnelblick.sh

                                        **********************************************

2014-09-30 10:14:11 SIGTERM[hard,] received, process exiting

2014-09-30 10:14:11 MANAGEMENT: >STATE:1412090051,EXITING,SIGTERM,,

2014-09-30 10:14:11 *Tunnelblick: No 'post-disconnect.sh' script to execute

2014-09-30 10:14:11 *Tunnelblick: Expected disconnection occurred.

================================================================================

Console Log:

2014-09-30 08:38:08 Tunnelblick[21692] setShutdownVariables: invoked, but have already set them

2014-09-30 08:38:12 Tunnelblick[21692] setShutdownVariables: invoked, but have already set them

2014-09-30 08:38:12 Tunnelblick[21692] applicationShouldTerminate: termination because of restart; delayed until 'shutdownTunnelblick' finishes

2014-09-30 08:38:12 Tunnelblick[21692] Finished shutting down Tunnelblick; allowing termination

2014-09-30 08:42:42 Tunnelblick[617] Set program update feedURL to https://www.tunnelblick.net/appcast-b.rss

2014-09-30 08:42:43 Tunnelblick[617] DEBUG: Updater: systemVersion 10.9.5 satisfies minimumSystemVersion 10.4.0

2014-09-30 08:42:43 Tunnelblick[617] DEBUG: Updater: systemVersion 10.9.5 satisfies minimumSystemVersion 10.4.0

================================================================================

Non-Apple kexts that are loaded:

Index Refs Address            Size       Wired      Name (Version) <Linked Against>

Thank you in advance.

[jkbull...gmail.com]

Your VPN server does not push DNS:

2014-09-30 10:08:24 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'

(No "dhcp-option DNS" is being pushed.)

I think that whatever DNS server is used before you connect the VPN is still being used and that it isn't responding (perhaps your IPS's DNS server, which may only respond to queries from within its network; when you are connected to the VPN your queries come from outside that network).

If so, nothing should work.

I don't know why or how Chrome works; perhaps it does its own DNS lookups using Google DNS. (I suppose that's quite possible, maybe even likely.)

By the way, ping and many other command-line utilities don't do DNS resolution the way that most of OS X does, so inconsistent results are not a big surprise.

Try fixing your OpenVPN server to actually push the DNS servers to use, or changing your computer's network settings manually to use Google DNS (or whatever you want).

...

[bryce....@gmail.com]

Thanks a ton, that seemed to be it. My push "dhcp-option DNS 8.8.8.8" and 8.8.4.4 lines were commented out for some reason. I'm a bit confused because the DNS tab on advanced network info looks the same with 8.8.8.8, 8.8.4.4 greyed out. Ah well, thanks a ton!