Re: WireGuard macOS App doesn't set system default DNS

[Alexander Skwar <alexanders.mailinglists+nospam@gmail.com>]

Hello Erik,

yes, I know that the DNS is private. This is why I have that on my macOS
configuration:

# …
AllowedIPs = 10.136.16.0/22, 169.254.169.253/32
# …

Cheers,
Alexander

Am Mo., 3. Aug. 2020 um 14:02 Uhr schrieb Gijs Conijn <egc112@msn.com>:
>
> The DNS you are using is private and only works if routed through the tunnel.
>
> You have to add the DNS address to the allowed IP's so that it is routed via the tunnel.
>
> Regards, Erik DDWRT user
>
> Alexander Skwar <alexanders.mailinglists+nospam@gmail.com> schreef op 3 augustus 2020 11:15:21 CEST:
>>
>> Hello
>>
>> I'm having issues with the macOS App. tl;dr: It doesn't set the system
>> DNS to the IP of my resolver which is only reachable once the tunnel
>> is up.
>>
>> Here's my "clients" (macOS) configuration:
>>
>> #####################################################################
>> [Interface]
>> PrivateKey = ...=
>> Address = 172.31.0.3/24
>> DNS = 10.136.16.2
>>
>> [Peer]
>> PublicKey = ...=
>> AllowedIPs = 10.136.16.0/22, 169.254.169.253/32
>> Endpoint = wg.....ch:51820
>> #####################################################################
>>
>> Matching "server" configuration (Debian 10):
>>
>> #####################################################################
>> [Interface]
>> Address = 172.31.0.1/24
>> Listenport = 51820
>> PrivateKey = ...=
>> PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o
>> wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens5 -j MASQUERADE
>> PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD
>> -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens5 -j MASQUERADE
>>
>> [Peer] # alexander-mac-1
>> PublicKey = kw6A7iN/sF0k2bePr15M10e6Ufhp7sJVWhZcZvGcrT8=
>> AllowedIPs = 172.31.0.3/32
>> #####################################################################
>>
>> When I activate this tunnel on my mac and do a "dig" or "host" query
>> for some name which only the private resolver 10.136.16.2 knows, I get
>> an NXDOMAIN (query failed).
>> When I do "dig @10.136.16.2 $sameName", the name gets resolved (ie.
>> when I manually s). This shows that the routing is working fine.
>>
>> As some extra tests, I set "DNS = 208.67.222.222" (OpenDNS) and tried
>> to resolve their test site www.internetbadguys.com. It resolves to
>> 146.112.61.108, which means that OpenDNS is used (I'm normally not
>> using it). It also shows on https://welcome.opendns.com/.
>> Same result with setting "DNS = 1.1.1.1" and then going to
>> https://1.1.1.1/help - DNS is set.
>>
>> This means that the macOS App *IS* able to set the system default
>> DNS, but for some reason doesn't set it to my private DNS IP of
>> 10.136.16.2.
>> There is ONE (bad) work around: When I set "AllowedIPs = 0.0.0.0/0",
>> then the App DOES set the system default DNS to 10.136.16.2.
>>
>> The log of the application doesn't show anything regarding DNS.
>> Pasted at https://paste.ee/p/ziqrg.
>>
>> Well… Why does the macOS App refuse to set the DNS to 10.136.16.2?
>>
>> Versions used:
>> App version: 0.0.20191105 (16)
>> Go backend version: 0.0.20191013
>> macOS: Catalina 10.15.5 (19F101)
>>
>>
>> Cheers,
>> Alexander



-- 



Alexander
-- 
=>        Google+ => http://plus.skwar.me         <==
=> Chat (Jabber/Google Talk) => a.skwar@gmail.com <==