Contact

Subscribe via Email

Subscribe via RSS/JSON

Categories

Creative Commons Attribution 4.0 International License
© Rakhesh Sasidharan

Elsewhere

MacOS VPN doesn’t use the VPN DNS

Continuing with my previous post … as part of configuring it I went to “Advanced” > “DNS” in the VPN connection and put in my remote end DNS server and domain name to search. On Windows 10 I didn’t even have to do this – remote DNS and domains were automatically configured as part of connecting. Anyways, once I put these in though I thought it should just work out of the box but it didn’t.

So turns out many others have noticed and complained about this. I couldn’t find a solution as such to this but learnt about scutil --dns in the process. Even though the Mac OS has a /etc/resolv.conf file it does not seem to be used; rather, the OS has its own way of DNS resolution and scutil --dns lets you see what is configured. (I am very very sketchy on the details and to be honest I didn’t make much of an effort to figure out the details either). In my case the output of this command showed that the VPN provided resolver for my custom domain was being seen by scutil and yet it wasn’t being used – no idea why.

I would like to point out this post though that shows how one can use scutil to override the DHCP or VPN assigned DNS servers with another. Good to know the kind of things scutil can do.

And while on this confusing topic it is worth pointing out that tools like nslookup and dig use the resolver provided in /etc/resolv.conf so these are not good tools if you want to test what an average Mac OS program might be resolving a particular name to. Best to just ping and see what IP a name resolves to.

Anyways, I didn’t want to go down a scripting route like in that nice blog post so I tried to find an alternative.

Oh, almost forgot! Scoped queries. If you check out this SuperUser post you can see the output of scutil --dns and come across the concept of scoped queries. The idea (I think) is that you can say domain xyz.com should be resolved using a particular name server, domain abc.com should be resolved via another, and so on. From that post I also got the impression you can scope it per interface … so the idea would be that you can scope the name server for my VPN interface to be one, while the name server for my other interfaces to be another. But this wasn’t working in my case (or I had configured something wrong – I dunno. I am a new Mac OS user). Here was my output btw so you can see my Azure hosted domain rakhesh.net has its own name server, while my home domain rakhesh.local has its own (and don’t ask me where the name server for general Internet queries is picked up from … I have no idea!).

Anyways, here’s a link to scutil for my future reference. And story 1 and story 2 on mDNSResponder, which seems to be the DNS resolver in Mac OS. And while on mDNSResponder, if you want to flush you local DNS cache you can do the following (thanks to this help page):

What a mouthful! :)

Also, not related to all this, but something I had to Google on as I didn’t know how to view the routing table in Mac OS. If you want to do the same then netstat -nr is your friend.

Ok, so going back to my problem. I was reading the resolver(5) man page and came across the following:

Mac OS X supports a DNS search strategy that may involve multiple DNS resolver clients.

Each DNS client is configured using the contents of a single configuration file of the format described below, or from a property list supplied from some other system configuration database. Note that the /etc/resolv.conf file, which contains configuration for the default (or “primary”) DNS resolver client, is maintained automatically by Mac OS X and should not be edited manually. Changes to the DNS configuration should be made by using the Network Preferences panel.

Mac OS X uses a DNS search strategy that supports multiple DNS client configurations. Each DNS client has its own set of nameserver addresses and its own set of operational parameters. Each client can perform DNS queries and searches independent of other clients. Each client has a symbolic name which is of the same format as a domain name, e.g. “apple.com”. A special meta-client, known as the “Super” DNS client acts as a router for DNS queries. The Super client chooses among all available clients by finding a best match between the domain name given in a query and the names of all known clients.

Queries for qualified names are sent using a client configuration that best matches the domain name given in the query. For example, if there is a client named “apple.com”, a search for “www.apple.com” would use the resolver configuration specified for that client. The matching algorithm chooses the client with the maximum number of matching domain components. For example, if there are clients named “a.b.c”, and “b.c”, a search for “x.a.b.c” would use the “a.b.c” resolver configuration, while a search for “x.y.b.c” would use the “b.c” client. If there are no matches, the configuration settings in the default client, generally corresponding to the /etc/resolv.conf file or to the “primary” DNS configuration on the system are used for the query.

If multiple clients are available for the same domain name, the clients ordered according to a search_order value (see above). Queries are sent to these resolvers in sequence by ascending value of search_order.

The configuration for a particular client may be read from a file having the format described in this man page. These are at present located by the system in the /etc/resolv.conf file and in the files found in the /etc/resolver directory. However, client configurations are not limited to file storage. The implementation of the DNS multi-client search strategy may also locate client configurations in other data sources, such as the System Configuration Database. Users of the DNS system should make no assumptions about the source of the configuration data.

If I understand this correctly, what it is saying is that:

  1. The settings defined in /etc/resolv.conf is kind of like the fall-back/ default?
  2. Each domain (confusingly referred to as “client”) in the man-page can have its own settings. You define these as files in /etc/resolver/. So I could have a file called /etc/resolver/google.com that defines how I want the “google.com” domain to be resolved – what name servers to use etc. (these are the typical options one finds in /etc/resolv.conf).
  3. The system combines all these individual definitions, along with dynamically created definitions such as when a VPN is established (or any DHCP provided definitions I’d say, including wired and wireless) into a configuration database. This is what scutil can query and manipulate.

What this means for me though is that I can create a file called /etc/resolvers/rakhesh.net (my Azure domain is rakhesh.net) with something like these:

Thus any requests for rakhesh.net will go via this name server. When I am not connected to VPN these requests will fail as the DNS server is not reachable, but when connected it will work fine.

What if I want to take this one step further though? As in I want DNS requests for rakhesh.net to go to its proper external DNS server when I am not on VPN but go via the internal DNS server when I am on VPN? That too is possible. All I have to do is have multiple files – since I can’t call all of them /etc/resolvers/rakhesh.net – and within each specify the domain name via the domain parameter and also define the preference via a search_order parameter. The one with the lower number gets tried first.

So I now have two files. For internal queries I have /etc/resolvers/rakhesh.net.azure (the name doesn’t matter):

For external queries I have /etc/resolvers/rakhesh.net.inet:

The internal file has higher priority. I also added a timeout of 5 seconds so it doens’t spend too much time trying to contact the name server if the VPN is not connected. Easy peasy. This way my queries work via the internal DNS servers if I am connected to VPN, and via external DNS servers if I am not on VPN.

If I now look at the output of scutil --dns I see all this info captured:

So that’s it. Hope this helps someone!

 

Azure Point-to-Site VPN disconnects without connecting on MacOS

Wasted a lot of time today trying to get Azure P2S VPN setup on my MacBook Air. I had done the hard work while setting it up for Windows – setup an internal CA, generate client certificates, etc. – and it was working fine with Windows 10 but kept disconnecting with Mac OS. The instructions were straight-forward but the client would connect and disconnect with no messages. Couldn’t find a way to enable logging either! 

The issue was very similar to the one in this StackExchange post but it couldn’t be about certificates as in that post as I had setup mine correctly. I too was getting the same error message as that poster in both wifi.log and syslog.

I poked around the authentication settings and finally hit upon a fix. Instead of setting “Authentication Settings” to certificate, as in the instructions, I set it to “None” and that gave me two options as in the screenshot below. I selected “Certificate” here and pointed it to a copy of the user certificate I had on file and that did the trick!

No idea why this is different to the official instructions.

New MacBook Air

So I finally dipped my feet into the Mac ecosystem and bought myself a MacBook Air. Yes, I know it’s 3 years old but what the heck – it was the cheapest Mac I could buy! Went for the 8GB/ 256GB i5 version as that’s the one I found on a deal with our local online shopping provider. Might have gone with a different spec if I decided to go with the version available officially with Apple but a) that had a UK English keyboard and b) the same model there was about 33% more expensive so if I were to get a better spec’d one I’d be spending a lot lot more (bringing the costs up to the MacBook range). 

One thing about MacBook purchases though – it isn’t easy. I mean, with an iPhone. you only have to choose along the color & size, and then pick the capacity you want. But with Macs I have to worry about size, CPU (i5 or i7), RAM, and storage; and each choices ups the price by so much! And more than the price the choices just exhaust. It’s the paradox of choice concept (I’ve read the book) and the feeling is similar to Windows laptops where there’s so many choices and you just get bogged down trying to pick what you want and eventually let go of the idea itself. Which is what I had done here (let go of the idea) until my wife suggested this MacBook Air model that was on a deal and I thought what the heck and just purchased it. My focus here is to get something that will get me a toehold in the Mac ecosystem and probably settling on price as a criteria than anything else was what was needed. 

Oh, and the MacBook Air is the only one with a decent set of ports. Yikes! All the other MacBooks have just USB-C ports so there’s the additional cost of dongles and the hassle of having to carry them around. If it wasn’t for the dongles and the fact that the MacBook has a 2nd generation butterfly keyboard which is known for problems (which is fixed in the MacBook Pro’s 3rd generation keyboard) I might have gone for the MacBook. It has more colors too. 

Anyways, back to the MacBook Air. I’ve had it for less than a day now so these are just initial thoughts. 

  • I love the keyboard and size. There’s a lot of room for the hand, and the keys feel good to type on. It’s a very “lapable” laptop. 
  • I thought I’d be put off by the 1440×900 screen as I am so used to full HD nowadays and when I had recently tried using a 1440×900 external monitor I didn’t like it at all, but no I don’t mind this screen. Yes I notice the difference but I don’t mind it. 
  • I like the feel of the OS. I had various people tell me it is complicated and unintuitive etc. but I don’t see that. I love the two finger way of scrolling up and down pages and going back and forward, and the three finger way of moving across apps. That feels very intuitive and much better than having a touch screen. There’s a lot more gestures but I am yet to get the hang of that. I tried to memorize those initially but then figured I’ll pick them up as I go. I think I know the main ones that I am interested in at least. 
  • It’s a jarring experience going to the App Store and seeing all the prices! Boy. It’s like the pre-iPhone days when software used to be expensive. Pretty much everything is US$10 and above, and if something is free it is bound to have a in-add purchase. Even the same app which for iPhone & iPad is (say) US$5 would be US$50 or above here! I imagine it is because the code base is different and so there’s more effort? I don’t know. That’s something I am having trouble getting my head around. The Windows OS store apps are much cheaper (but yeah there aren’t many). Anyways, the App Store is like a trip back in time to expensive software. I don’t think I’ll be buying much apps. Or I hope I won’t be buying much apps – it is not a sustainable option. 
  • The laptop came with MacOS High Sierra 10.13.1 and I couldn’t update to the latest 10.13.6 via the App Store. I downloaded it and tried to upgrade manually, but that failed saying the volume doesn’t meet some pre-requisites. I downloaded 10.13.2 and 10.13.3 and was able to upgrade to them manually, but 10.13.4 fails with the same error. That’s when I came across the macOS Recovery options, especially the Internet Recovery option which you get to by pressing Option-Command (⌘)-R (instead of just Command (⌘)-R for regular recovery). Internet Recovery actually connects to the Internet (it prompts you for Wi-Fi details etc) and can download the latest version and do a fresh install. When I tried this it complained my disk was still being encrypted and so it cannot upgrade. Am guessing that is why the update previously failed so I’ll wait for the encryption to finish and try again. That is so cool though, being able to connect to the Internet and do a recovery! Windows recovery options are nothing compared to this. Even the Recovery screen has a good GUI etc. (of course, that’s easy for Apple to do as it controls the hardware; versus Microsoft which can’t cater for every single display where Windows might be installed on). 
    • Update: After encryption completed I was able to install 10.13.4 successfully. I tried to just to 10.13.6 directly but that failed. I realized that these updates are deltas so I’ll just have to install 10.13.5 and then 10.13.6. Tried that and now my system is finally up to date. Yay! Pity MacOS doesn’t do cumulative updates. 
  • What else? The Finder is good, the uniform way in which each app shows a menubar where you can go and find its options etc. is good. I love the UI as expected for its consistency and sleekness. I also loved how I could just click on the Apple icon and go to “About this Mac” to quickly find its OS version, free storage etc. I don’t know why I liked that, but I found it incredibly thoughtful of Apple to present this information via this option. 
  • There’s still (obviously) a lot to pick up. Keyboard shortcuts and gestures etc. 
  • Oh, forgot. Installing apps from outside the App Store is cute in the way you download the DMG file and then (in most cases) just drag and drop the application to the Applications folder. I remember reading somewhere that in the Mac each application is sandboxed to its own hierarchy or something so it’s not like Windows or Linux where everything just writes to a common place and there’s dependencies and DLL hell etc. 
  • I love how the MacOS restores all my previously open apps after a reboot/ shutdown. It’s just the other day I was wishing Windows could do something similar (my laptop crashed and I had to restore all my Windows) and it was pleasant to see the MacOS do exactly this whenever I’d reboot. Such a user friendly and useful thing to do!

More later!