openconnect on MacOS X Sierra DNS name resolution

John Hogenmiller (yt) john at yourtech.us
Fri May 12 08:14:27 PDT 2017 

I have this same issue as well, or close enough. I posted on the Apple
StackExchange because this is more an issue with trying to understand
scutil than it is openconnect. Once we can figure out how to do what we
want with scutil, we can, in theory, correct the openconnect scripts to
work as desired.


https://apple.stackexchange.com/questions/266552/have-openconnect-send-all-dns-to-vpn-nameservers-scutil-sierra


I am trying to get dns resolution working using openconnect on MacOS
10.12.2. First off the Cisco AnyConnect client does work, I'm mainly
wanting to switch to OpenConnect for scriptability and it's integration
with libstoken. Openconnect works fine on linux as well. It's just the
integration with macOS where I'm running into trouble. When connected to
the VPN, the server sends down two nameservers and a search domain.
vpnc-script and macOS attempts to set this up as a sort of scoped query. In
reality, we want all dns queries to go the ones provided by the vpn server.
A number of older posts around this use networksetup commands, which do not
seem to work for me under Sierra (though they have worked for people on
older versions).


In the below examples, 192.168.1.1 and priv.example.net would be my local
network nameserver, while 10.131.10.1[5-6] and core.example.com would be
the vpn servers. Under AnyConnect, it puts all three nameservers under
"resolver #1". I also notice it somehow detaches these from any interface.
When OpenConnect connects, it seems to attach the vpn nameservers to en0
instead of utun0. That seems to be the crux of my problem, because the vpn
nameservers are not accessible over en0, only utun0. I can provide a lot
more output from scutil (I have pages of comparisons).


GOOD (AnyConnect):
Under here, notice that resolver #1 is not tied to an interface.


    dfzmbp:etc ytjohn$ scutil --dns
    DNS configuration


    resolver #1
    search domain[0] : core.example.com
    nameserver[0] : 10.131.10.15
    nameserver[1] : 10.131.10.16
    nameserver[2] : 192.168.1.1
    flags : Request A records, Request AAAA records
    reach : Reachable
    order : 1


BAD (OpenConnect):


    dfzmbp:etc ytjohn$ scutil --dns
    DNS configuration


    resolver #1
    search domain[0] : core.example.com
    search domain[1] : priv.example.net
    nameserver[0] : 10.131.10.15
    nameserver[1] : 10.131.10.16
    nameserver[2] : 192.168.1.1
    if_index : 6 (en0)
    flags : Request A records
    reach : Reachable


    resolver #2
    domain : core.example.com
    nameserver[0] : 10.131.10.15
    nameserver[1] : 10.131.10.16
    flags : Supplemental, Request A records
    reach : Reachable
    order : 100800


    resolver #3
    domain : local

More information about the openconnect-devel mailing list