Development discussion of WireGuard
 help / color / mirror / Atom feed
* Mac APP DNS Search Domain
@ 2021-07-17 10:09 Sven Auhagen
  2021-08-09 16:12 ` Stephen Larew
  0 siblings, 1 reply; 3+ messages in thread
From: Sven Auhagen @ 2021-07-17 10:09 UTC (permalink / raw)
  To: wireguard

Hi,

the DNS search domain in the Wireguard Mac APP does not seem to work properly.
The search domain is added properly and I can see it in the DNS configuration
for the scoped query:

resolver #2
search domain[0] : mytestdomain.com
nameserver[0] : 192.168.6.1
if_index : 17 (utun4)
flags    : Scoped, Request A records
reach    : 0x00000002 (Reachable)

but the global resolver is using a mix of my LAN and Wireguard DNS resolver:

resolver #1
search domain[0] : sven.lan
nameserver[0] : 192.168.6.1
if_index : 17 (utun4)
flags    : Supplemental, Request A records
reach    : 0x00000002 (Reachable)
order    : 102200

I found a discussion on Github about the issue here:
https://github.com/tailscale/tailscale/issues/101#issuecomment-639286398

suggesting that the following will fix it:

--- a/Sources/WireGuardKit/PacketTunnelSettingsGenerator.swift
+++ b/Sources/WireGuardKit/PacketTunnelSettingsGenerator.swift
@@ -88,7 +88,7 @@ class PacketTunnelSettingsGenerator {
             let dnsSettings = NEDNSSettings(servers: dnsServerStrings)
             dnsSettings.searchDomains = tunnelConfiguration.interface.dnsSearch
             if !tunnelConfiguration.interface.dns.isEmpty {
-                dnsSettings.matchDomains = [""] // All DNS queries must first go through the tunnel's DNS
+                dnsSettings.matchDomains = [""] + dnsSettings.searchDomains // All DNS queries must first go through the tunnel's DNS
             }
             networkSettings.dnsSettings = dnsSettings
         }

I do not have an Apple Developer Account so I am not able to compile the code and test it.
Can anyone take a look as this would be a great help.

Best
Sven



Beste Grüße/Best regards

Sven Auhagen
Dipl. Math. oec., M.Sc.
Voleatech GmbH
HRB: B 754643
USTID: DE303643180
Grathwohlstr. 5
72762 Reutlingen
Tel: +49 7121539550
Fax: +49 71215395599
E-Mail: sven.auhagen@voleatech.de
www.voleatech.de<https://www.voleatech.de>
[https://www.voleatech.de/wp-content/uploads/2021/03/vtair-emailbanner-enterprise.jpg] <https://www.voleatech.de/de/vtair/>
Diese Information ist ausschließlich für den Adressaten bestimmt und kann vertraulich oder gesetzlich geschützte Informationen enthalten. Wenn Sie nicht der bestimmungsgemäße Adressat sind, unterrichten Sie bitte den Absender und vernichten Sie diese Mail. Anderen als dem bestimmungsgemäßen Adressaten ist es untersagt, diese E-Mail zu lesen, zu speichern, weiterzuleiten oder ihren Inhalt auf welche Weise auch immer zu verwenden. Für den Adressaten sind die Informationen in dieser Mail nur zum persönlichen Gebrauch. Eine Weiterleitung darf nur nach Rücksprache mit dem Absender erfolgen. Wir verwenden aktuelle Virenschutzprogramme. Für Schäden, die dem Empfänger gleichwohl durch von uns zugesandte mit Viren befallene E-Mails entstehen, schließen wir jede Haftung aus.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Mac APP DNS Search Domain
  2021-07-17 10:09 Mac APP DNS Search Domain Sven Auhagen
@ 2021-08-09 16:12 ` Stephen Larew
  2021-08-10  7:42   ` Sven Auhagen
  0 siblings, 1 reply; 3+ messages in thread
From: Stephen Larew @ 2021-08-09 16:12 UTC (permalink / raw)
  To: Sven Auhagen; +Cc: wireguard

On Jul 17, 2021, at 03:09, Sven Auhagen <sven.auhagen@voleatech.de> wrote:
> 
> Hi,
> 
> the DNS search domain in the Wireguard Mac APP does not seem to work properly.
> The search domain is added properly and I can see it in the DNS configuration
> for the scoped query:
> 
> resolver #2
> search domain[0] : mytestdomain.com
> nameserver[0] : 192.168.6.1
> if_index : 17 (utun4)
> flags    : Scoped, Request A records
> reach    : 0x00000002 (Reachable)
> 
> but the global resolver is using a mix of my LAN and Wireguard DNS resolver:
> 
> resolver #1
> search domain[0] : sven.lan
> nameserver[0] : 192.168.6.1
> if_index : 17 (utun4)
> flags    : Supplemental, Request A records
> reach    : 0x00000002 (Reachable)
> order    : 102200
> 
> I found a discussion on Github about the issue here:
> https://github.com/tailscale/tailscale/issues/101#issuecomment-639286398
> 
> suggesting that the following will fix it:
> 
> --- a/Sources/WireGuardKit/PacketTunnelSettingsGenerator.swift
> +++ b/Sources/WireGuardKit/PacketTunnelSettingsGenerator.swift
> @@ -88,7 +88,7 @@ class PacketTunnelSettingsGenerator {
>             let dnsSettings = NEDNSSettings(servers: dnsServerStrings)
>             dnsSettings.searchDomains = tunnelConfiguration.interface.dnsSearch
>             if !tunnelConfiguration.interface.dns.isEmpty {
> -                dnsSettings.matchDomains = [""] // All DNS queries must first go through the tunnel's DNS
> +                dnsSettings.matchDomains = [""] + dnsSettings.searchDomains // All DNS queries must first go through the tunnel's DNS
>             }
>             networkSettings.dnsSettings = dnsSettings
>         }
> 
> I do not have an Apple Developer Account so I am not able to compile the code and test it.
> Can anyone take a look as this would be a great help.
> 
> Best
> Sven

Sven,

I have a patch for Wireguard Mac app that enables proper split DNS support. It works well in my usage.  I should properly submit the patch for review by Wireguard folks.  Until then, you can get the patch here:

https://github.com/slarew/wireguard-apple/commit/6ebc356d9e11ab91443e06de5e89f1af57fcdff8

> Enable "split DNS" configurations for an interface
> 
> By adding a tilde prefix to a domain name entry in the DNS= line, the
> domain is interpreted as a "matching domain" for DNS routing instead of
> a "search domain."  This corresponds to setting a non-empty
> NEDNSSettings.matchDomains property for the network tunnel.  Using tilde
> as a prefix is borrowed from systemd-resolved's equivalent usage.
> 
> If one or more match domains are specified, then the specified DNS
> resolvers are only used for those matching domains instead of acting as
> the first resolver before the system's primary DNS resolvers.

-Stephen

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Mac APP DNS Search Domain
  2021-08-09 16:12 ` Stephen Larew
@ 2021-08-10  7:42   ` Sven Auhagen
  0 siblings, 0 replies; 3+ messages in thread
From: Sven Auhagen @ 2021-08-10  7:42 UTC (permalink / raw)
  To: Stephen Larew; +Cc: wireguard

On Mon, Aug 09, 2021 at 09:12:05AM -0700, Stephen Larew wrote:
> On Jul 17, 2021, at 03:09, Sven Auhagen <sven.auhagen@voleatech.de> wrote:
> >
> > Hi,
> >
> > the DNS search domain in the Wireguard Mac APP does not seem to work properly.
> > The search domain is added properly and I can see it in the DNS configuration
> > for the scoped query:
> >
> > resolver #2
> > search domain[0] : mytestdomain.com
> > nameserver[0] : 192.168.6.1
> > if_index : 17 (utun4)
> > flags    : Scoped, Request A records
> > reach    : 0x00000002 (Reachable)
> >
> > but the global resolver is using a mix of my LAN and Wireguard DNS resolver:
> >
> > resolver #1
> > search domain[0] : sven.lan
> > nameserver[0] : 192.168.6.1
> > if_index : 17 (utun4)
> > flags    : Supplemental, Request A records
> > reach    : 0x00000002 (Reachable)
> > order    : 102200
> >
> > I found a discussion on Github about the issue here:
> > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ftailscale%2Ftailscale%2Fissues%2F101%23issuecomment-639286398&amp;data=04%7C01%7Csven.auhagen%40voleatech.de%7Cc036b74b5f804c3ae41708d95b50700e%7Cb82a99f679814a7295344d35298f847b%7C0%7C1%7C637641223312894873%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=m59kt6gpqykdVvvyUX4%2BEbF14sCZWfmrZNWEKNzXj3E%3D&amp;reserved=0
> >
> > suggesting that the following will fix it:
> >
> > --- a/Sources/WireGuardKit/PacketTunnelSettingsGenerator.swift
> > +++ b/Sources/WireGuardKit/PacketTunnelSettingsGenerator.swift
> > @@ -88,7 +88,7 @@ class PacketTunnelSettingsGenerator {
> >             let dnsSettings = NEDNSSettings(servers: dnsServerStrings)
> >             dnsSettings.searchDomains = tunnelConfiguration.interface.dnsSearch
> >             if !tunnelConfiguration.interface.dns.isEmpty {
> > -                dnsSettings.matchDomains = [""] // All DNS queries must first go through the tunnel's DNS
> > +                dnsSettings.matchDomains = [""] + dnsSettings.searchDomains // All DNS queries must first go through the tunnel's DNS
> >             }
> >             networkSettings.dnsSettings = dnsSettings
> >         }
> >
> > I do not have an Apple Developer Account so I am not able to compile the code and test it.
> > Can anyone take a look as this would be a great help.
> >
> > Best
> > Sven
>
> Sven,
>
> I have a patch for Wireguard Mac app that enables proper split DNS support. It works well in my usage.  I should properly submit the patch for review by Wireguard folks.  Until then, you can get the patch here:
>
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fslarew%2Fwireguard-apple%2Fcommit%2F6ebc356d9e11ab91443e06de5e89f1af57fcdff8&amp;data=04%7C01%7Csven.auhagen%40voleatech.de%7Cc036b74b5f804c3ae41708d95b50700e%7Cb82a99f679814a7295344d35298f847b%7C0%7C1%7C637641223312894873%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=dd9MYi3CkgveF%2BcBAU1sk857lDeLmX2SpMcRy7tL9nM%3D&amp;reserved=0
>
> > Enable "split DNS" configurations for an interface
> >
> > By adding a tilde prefix to a domain name entry in the DNS= line, the
> > domain is interpreted as a "matching domain" for DNS routing instead of
> > a "search domain."  This corresponds to setting a non-empty
> > NEDNSSettings.matchDomains property for the network tunnel.  Using tilde
> > as a prefix is borrowed from systemd-resolved's equivalent usage.
> >
> > If one or more match domains are specified, then the specified DNS
> > resolvers are only used for those matching domains instead of acting as
> > the first resolver before the system's primary DNS resolvers.

Thanks Stephen.
It would be great if you can upstream the patch.
The current behaviour is a problem for non technical users that rely on the short dns names.

Best
Sven

>
> -Stephen

Beste Grüße/Best regards

Sven Auhagen
Dipl. Math. oec., M.Sc.
Voleatech GmbH
HRB: B 754643
USTID: DE303643180
Grathwohlstr. 5
72762 Reutlingen
Tel: +49 7121539550
Fax: +49 71215395599
E-Mail: sven.auhagen@voleatech.de
www.voleatech.de<https://www.voleatech.de>
[https://www.voleatech.de/wp-content/uploads/2021/03/vtair-emailbanner-enterprise.jpg] <https://www.voleatech.de/de/vtair/>
Diese Information ist ausschließlich für den Adressaten bestimmt und kann vertraulich oder gesetzlich geschützte Informationen enthalten. Wenn Sie nicht der bestimmungsgemäße Adressat sind, unterrichten Sie bitte den Absender und vernichten Sie diese Mail. Anderen als dem bestimmungsgemäßen Adressaten ist es untersagt, diese E-Mail zu lesen, zu speichern, weiterzuleiten oder ihren Inhalt auf welche Weise auch immer zu verwenden. Für den Adressaten sind die Informationen in dieser Mail nur zum persönlichen Gebrauch. Eine Weiterleitung darf nur nach Rücksprache mit dem Absender erfolgen. Wir verwenden aktuelle Virenschutzprogramme. Für Schäden, die dem Empfänger gleichwohl durch von uns zugesandte mit Viren befallene E-Mails entstehen, schließen wir jede Haftung aus.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2021-08-10  7:42 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-17 10:09 Mac APP DNS Search Domain Sven Auhagen
2021-08-09 16:12 ` Stephen Larew
2021-08-10  7:42   ` Sven Auhagen

Development discussion of WireGuard

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://inbox.vuxu.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://inbox.vuxu.org/wireguard \
		wireguard@lists.zx2c4.com
	public-inbox-index wireguard

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://inbox.vuxu.org/vuxu.archive.wireguard


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git