Split DNS Script for TunnelBlick client

[Scott Mead]

Hey all, 

   I've been working on an OpenVPN implementation for a few days and ran into one issue that was a bit of a show-stopper: split-dns.  Our internal DNS on the existing VPN only knows about internal hosts and does not forward for... many reasons.  I noticed that this didn't seem to be an option in either the OpenVPN server or the TunnelBlick client.  

   I did some research and found the /Applications/TunnelBlick.app/Contents/Resources/client.up.tunnelblick.sh file.  

   With a simple modification to this file, I leave the existing, client DNS server(s) and search domain(s) in place and then append the VPN-pushed DNS server(s) and search domains(s).  I'm guessing that if you had 6 existing DNS servers pre-existing on the client,  that this script may not work for you.  That being said, I control the clients on this network so it's a non-issue for me.

  Please find attached a diff of the script for your feedback and / or enjoyment.  

--Scott

sco...@openscg.com

OpenSCG,inc

www.openscg.com

[jkbull...gmail.com]

Thanks for posting this.

I'm not sure about the search domain part of what you're doing, but the DNS part doesn't do what you think it does.

What it does is append a new DNS server address(es) to the current DNS server address(es). So if the original DNS server is Google Public DNS (8.8.8.8) and the DNS server pushed by the OpenVPN server is 1.2.3.4, you end up with DNS addresses of 8.8.8.8, 1.2.3.4.

That means that 8.8.8.8 is used to resolve names as long as it responds (even if it responds that it does not know the name). 1.2.3.4 is only queried if 8.8.8.8 stops responding. Usually, the first nameserver (in this example, 8.8.8.8) is given 30 seconds to respond.

So if you ask for "internalcompanyasset.example.com", 8.8.8.8 will respond that it is not known, and 1.2.3.4 will never be consulted.

[Scott Mead]

I see that now :)

   So, when I use the built-in OSx VPN for a PPTP vpn, I can see 

resolver #1

    domains

    nameserver[0]

    etc...

resolver #2 

     domains

     nameserver[0] 

     etc...

 but, i can't seem to find how to make scutil do that.  Any ideas?

--Scott

[Scott Mead]

Okay, 

  I figured this out, but the scripting will take a bit of time.  To get this working, you have to leave the PrimaryService untouched and create a secondary service ( OpenVPN is already being created ).  I created a second service will a /DNS key.  That wasn't enough for it to pick up a second resolver.  In order for that to happen, you need your own service with a /DNS key and a /IPv4 key.  Once you do that, then an `scutil --dns` will show what I'm looking for!

The only thing I am worried about is that the 'State' subsection of the config database really likes GUID's.  I can generate that on OSX via the command line with `uuidgen`, but I'm not sure how reliable that is on all releases of OSX.

Now, I can ping freely and I have multiple resolvers showing up.  [ Much Dancing Ensued ]

Manually, I had to run:

sudo scutil 

open 

d.init
d.add SearchDomains * domaina.int domainb.int domainc.int

d.add SupplementalMatchDomains * domaina.int domainb.int domainc.int
d.add SupplementalMatchOrders * 100000 100000 100000
d.add ServerAddresses * dns.server.ip.addr
 d.show
set State:/Network/Service/D1B8B972-4B47-424E-80B6-B56665D0C3EB/DNS

d.init
d.add Addresses * my.vpn.client.addr
d.add DestAddresses * my.vpn.client.serv   # internal
d.add InterfaceName tun0
d.add NetworkSignature VPN.RemoteAddress=vpn.example.com
d.add Router my.router.ip.addr
d.add ServerAddress ext.vpn.service.ip
set State:/Network/Service/D1B8B972-4B47-424E-80B6-B56665D0C3EB/IPv4 

Once I did that, I could ping freely around the VPN and everything worked great with my ( now working ) split DNS :)

--Scott