DNS server list has strange separator
Dimitri Papadopoulos
dimitri.papadopoulos at cea.fr
Thu Jun 22 07:21:32 PDT 2023
Hi,
Note that 59 is the decimal ASCII encoding for ";".
Also, 59 cannot is not an octal number, making the "\059" notation even
more awkward.
Therefore I suspect this is a problem with the Fortigate configuration.
Using my own corporate VPN, I do not see such a character:
At some point openconnect reports:
Got search domain
intra.xxxx.xxx;extra.xxxx.xxx;saclay.xxxx.xxx;partenaires.xxxx.xxx;xxxx.xxx
And after connecting, resolvectl reports:
$ resolvectl
Global
Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Link 2 (enp0s31f6)
Current Scopes: DNS
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS
DNSSEC=no/unsupported
Current DNS Server: 8.8.8.8
DNS Servers: 8.8.8.8 192.168.0.254
Link 3 (tun0)
Current Scopes: DNS
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS
DNSSEC=no/unsupported
Current DNS Server: xxx.xxx.xxx.7
DNS Servers: xxx.xxx.xxx.7 xxx.xxx.xxx.6
DNS Domain: xxxx.xxx extra.xxxx.xxx intra.xxxx.xxx
partenaires.xxxx.xxx saclay.xxxx.xxx
We could work around this peculiar separator, but human imagination has
no limits, so where should we stop? More importantly, how do we know the
separator is "\059" and not "\"? I haven't read recent DNS RFCs, but I
suspect that "059ns2.redacted.com" is as legit as "ns2.redacted.com"
nowadays.
Let's try a different angle: Does FortiCLient handle this in a better way?
Dimitri
Le 22/06/2023 à 05:02, Aaron Smith a écrit :
> Running on Ubuntu 23.04 and connecting to a system Fortinet running version
> 4.71.113.194.
>
> After successful connection, the VPN routes and DNS server settings are
> applied
> to my system. The DNS server list is correct, but the servers are
> separate by
> '059' instead of a space character, as displayed by 'resolvectl' below
>
> ~/ resolvectl status
> Link 2 (enxe04f439490d4) Current Scopes: DNS Protocols: +DefaultRoute
> +LLMNR
> -mDNS -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 172.22.11.1 DNS
> Servers: 172.22.11.1 DNS Domain: redacted.net
>
> Link 3 (wlp0s20f3) Current Scopes: none Protocols: -DefaultRoute +LLMNR
> -mDNS
> -DNSOverTLS DNSSEC=no/unsupported
>
> Link 4 (vpn00449b7858) Current Scopes: none Protocols: -DefaultRoute +LLMNR
> -mDNS -DNSOverTLS DNSSEC=no/unsupported
>
> Link 5 (vpn00fa8f88cb) Current Scopes: none Protocols: -DefaultRoute +LLMNR
> -mDNS -DNSOverTLS DNSSEC=no/unsupported
>
> Link 6 (tun0) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS
> -DNSOverTLS DNSSEC=no/unsupported
>
> Link 22 (tun1) Current Scopes: DNS Protocols: +DefaultRoute +LLMNR -mDNS
> -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 10.0.60.2 DNS
> Servers:
> 10.0.60.2 10.0.60.3 DNS Domain: ns1.redacted.com\059ns2.redacted.com
>
> ~/ openconnect --version OpenConnect version v9.01-3 Using GnuTLS 3.7.8.
> Features present: TPMv2, PKCS#11, RSA software token, HOTP software
> token, TOTP
> software token, Yubikey OATH, System keys, DTLS, ESP Supported protocols:
> anyconnect (default), nc, gp, pulse, f5, fortinet, array Default
> vpnc-script
> (override with --script): /usr/share/vpnc-scripts/vpnc-script
> Global Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
> resolv.conf
> mode: stub DNS Domain redacted.com private.net
>
> _______________________________________________
> openconnect-devel mailing list
> openconnect-devel at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/openconnect-devel
--
Dimitri Papadopoulos
Université Paris-Saclay, CEA, NeuroSpin
91191 Gif-sur-Yvette
France
+33 (0)1 69 08 79 12
More information about the openconnect-devel
mailing list