Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

split DNS #561

Open
andreworg opened this issue Mar 10, 2020 · 16 comments
Open

split DNS #561

andreworg opened this issue Mar 10, 2020 · 16 comments
Labels
enhancement

Comments

@andreworg
Copy link

Looks like I am not getting DNSs from my SSL VPN.

I get this on the logs:

INFO: Got addresses: [10.10.10.1], ns [0.0.0.0, 0.0.0.0]

Split DNS works fine accessing the same profile from Forticlient/Win.

I am running 1.12.0 but the same happened on 1.11.0.
Gateway runs FortiOS 6.2.3 but the same happened on 6.0.7.
@DimitriPapadopoulos
Copy link
Collaborator

DimitriPapadopoulos commented Mar 11, 2020
edited
Loading

I guess the FortiGate device is not properly configured: as far as I can see it provides incorrect DNS server information. Note that FortiClient on Windows might be using IPSec, not VPN SSL. As far as I can see they are configured differently on the FortiGate device:
IPSec

config vpn ipsec phase1-interface
          set ipv4-dns-server1 {ipv4-address}
          set ipv4-dns-server2 {ipv4-address}
          set ipv4-dns-server3 {ipv4-address}

VPN SSL

config vpn ssl settings
      set dns-server1 {ipv4-address}
      set dns-server2 {ipv4-address}

@andreworg
Copy link
Author

andreworg commented Mar 13, 2020
edited
Loading

Hi,
thanks for your reply.
Maybe my question was not clear enough.
I am talking about split DNS, not global DNS.
In terms of FortiOS config:

config vpn ssl web portal
    edit "myportal"
        config split-dns
            edit 1
                set domains "mydomain1.local,mydomain2.local"
                set dns-server1 10.10.10.10
                set dns-server2 10.10.10.11
            next
        end
    next
end

config vpn ssl settings is a global (as opposed to per-portal) setting, and refers to the DNS servers that are assigned to the client when the SSL VPN connection is initiated. You can leave these unset, meaning that the client will use its own DNS settings. This corresponds to the "Same as client system DNS" in the GUI, VPN --> SSL VPN Settings. AFAIK this is perfectly compatible with the split DNS configuration above.

I was actually mistaken, and probably misleading, in thinking that the log message in my original post was about split DNS. Now I see it belongs to the "main" DNS settings, and zeroes mean leave system DNS as it is. openfortivpn behaves correctly in this regard.
Nonetheless my question still stands. When I connect to the "myportal" SSL VPN in tunnel mode on Windows with Forticlient, the names matching the domains listed in the split DNS configuration are correctly resolved by the internal servers, while the other names are resolved by the global DNSs. When I connect to the same SSL VPN tunnel with openfortivpn, this does not happen.

I searched the logs at max verbosity for hints about my local DNSs, and found nothing apart from the XML dump of http_receive, with the portal settings.

<split-dns domains='mydomain1.local,mydomain2.local' dnsserver1='10.10.10.10' dnsserver2='10.10.10.11' />

n.b. traffic to the local DNS servers is enabled in the rules and routes are being set correctly.

My conclusion is that openfortivpn does not currently support split DNS.

@DimitriPapadopoulos
Copy link
Collaborator

Ah, since I don't own a FortiGate appliance myself I am not aware of all options. Indeed the current code only parses:

<dns ip='...' />

<dns domain='... />

It looks like we should also parse:

<split-dns domains='...,...' dnsserver1='...' dnsserver2='...' />

@mrbaseman
Copy link
Collaborator

Unfortunately, it's more complex. We also have to manipulate the process of DNS resolution then, and send the requests for those domains to the appropriate servers whereas requests for all other domains shall still be sent to the system DNS servers.

@andreworg
Copy link
Author

andreworg commented Mar 16, 2020
edited
Loading

I don't know openfortivpn's internals, but from what I gather I suspected that it would not be easy.
I guess it does not operate above L3.
Quickest thing I can think is spawning a dnsmasq on the fly. Probably systemd can be used too, not sure though.

@DimitriPapadopoulos
Copy link
Collaborator

Fedora 33 is expected to switch to systemd-resolved which might (or not?) help configuring split DNS.

@mrbaseman
Copy link
Collaborator

this could help, yes, but we are still left with the tasks

  • support systemd-resolved and use it if it's available and in use on the system at runtime
  • parse the configuration in the xml
  • notify systemd-resolved about the domains that shall be resolved over the tunnel

@DimitriPapadopoulos
Copy link
Collaborator

According to the FortiClient Administration Guide support for split DNS has been introduced in FortiClient 6.0.3:

FortiClient 6.0.3

Split DNS support for SSL VPN

FortiClient now supports split DNS tunneling for SSL VPN. See Configuring SSL VPN connections.

@rknop
Copy link

rknop commented Oct 1, 2020

Please do not make openfortivpn, or support of split dns in openfortivpn, require systemd.

@DimitriPapadopoulos
Copy link
Collaborator

Some Linux systems do not support systemd but yes, systemd and NetworkManager should be used when available. There is already at least one ticket about that.

@andreworg
Copy link
Author

@DimitriPapadopoulos

According to the FortiClient Administration Guide support for split DNS has been introduced in FortiClient 6.0.3:

That may be true for Windows and probably MacOS for latest versions.

@rknop

openfortivpn as it is now - and as it supposedly will ever be - relies on the rest of the stack to do DNS resolution. What can be done is make openfortivpn interact with something that will take care of split DNS. One option is to use systemd-resolved, but there are others, e.g. dnsmasq, see this link. Also look at the link at the start of that article, NetworkManager has a dnsmasq plugin (disclaimer: I just found out about it).

@angystardust
Copy link

An interesting article about "split DNS" has been published on Fedora magazine:
https://fedoramagazine.org/systemd-resolved-introduction-to-split-dns/

@DimitriPapadopoulos
Copy link
Collaborator

An interesting article about "split DNS" has been published on Fedora magazine:
https://fedoramagazine.org/systemd-resolved-introduction-to-split-dns/

Unfortunately it focuses on systemd-resolved while most desktop distributions use NetworkManager. I still fail to find an overview explaining the different subsystems related to name resolution, how they interact, what API they offer to programmers, what to expect on major Linux platforms such as Debian, Ubuntu, RHEL or Fedora (desktop and server versions as they may differ). Of course I'm not saying systemd-resolved is not a step in the right direction, just that name resolution in the current Linux ecosystem is fragmented and complex.

@andreworg
Copy link
Author

name resolution in the current Linux ecosystem is fragmented and complex.

Sadly, that is completely accurate. History suggests that systemd will "solve" this issue, possibly in a way that will piss off many.

@DimitriPapadopoulos DimitriPapadopoulos mentioned this issue Dec 9, 2020
Closed
lpeens added a commit to lpeens/openfortivpn that referenced this issue May 8, 2021
@lpeens
Add workaround for split-dns
e4faca7 
Split-dns seems to be quite a complicated thing to implement
correctly, and probably depends on something like systemd-resolvd
or NetworkManager support to be added, as discussed here:
    adrienverge#561

In the mean time DNS is not working at all if no global dns
is set. This patch implements a slightly ugly workaround by using
the split-dns info as the default dns when no default dns was configured
in the xml response. I expect that the two settings are mutually exclusive in
any case, but I don't understand DNS well enough to be sure.
lpeens added a commit to lpeens/openfortivpn that referenced this issue Sep 18, 2021
@lpeens @louis-peens
Add workaround for split-dns
9d6a717 
Split-dns seems to be quite a complicated thing to implement
correctly, and probably depends on something like systemd-resolvd
or NetworkManager support to be added, as discussed here:
    adrienverge#561

In the mean time DNS is not working at all if no global dns
is set. This patch implements a slightly ugly workaround by using
the split-dns info as the default dns when no default dns was configured
in the xml response. I expect that the two settings are mutually exclusive in
any case, but I don't understand DNS well enough to be sure.
@tbaumann
Copy link

tbaumann commented Nov 6, 2023

I don't think any VPN software should bother to implement this. You just need to support the same interface as for example OpenVPN to call a helper that sorts this out.
Either https://github.com/jonathanio/update-systemd-resolved or if you want something that fucks around with resolve.conf

But I think there is only madness in trying to do this yourself. And with all the known issues with resolv.conf (hence all the existing workarounds) I also don't think breaking that is a good default behavior at all. (Except perhaps on some *BSD)

@DimitriPapadopoulos
Copy link
Collaborator

My idea would be to move to vpnc-scripts to handle routing and DNS, but I won't have time to implement that in the foreseeable future (see #600 and #678).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@tbaumann @rknop @angystardust @DimitriPapadopoulos @andreworg @mrbaseman