Unable to resolve domain names when connected to Juniper Pulse Connect Secure VPN server

Chris O'Brien cobrien at solekai.com
Tue Mar 8 14:29:24 PST 2016


I'm using openconnect (built from
git://git.infradead.org/users/dwmw2/openconnect.git) on an Arch Linux
machine to establish a connection to a Juniper Pulse Connect Secure
VPN server. I'm invoking openconnect like so:

    openconnect --juniper -C "DSID=<cookie>" --cafile <cert> <server>

If I dump HTTP authentication traffic (--dump-http-traffic) I see DNS
search domain info being returned similar to:

   Received DNS search domain company.com, subdomain1.company.com,

vnpc-script uses the following logic to add this information to resolv.conf:

   # === resolv.conf handling via /usr/sbin/resolvconf (Debian,
Ubuntu, Gentoo)) =========

   modify_resolvconf_manager() {
            for i in $INTERNAL_IP4_DNS; do
                    NEW_RESOLVCONF="$NEW_RESOLVCONF nameserver $i"
            if [ -n "$CISCO_DEF_DOMAIN" ]; then
            echo "$NEW_RESOLVCONF" | /usr/sbin/resolvconf -a $TUNDEV

This ultimately leaves me with a resolv.conf that looks something like:

     # Generated by resolvconf
     domain company.com subdomain1.company.com subdomain2.company.com
     search company.com subdomain1.company.com subdomain2.company.com home
     nameserver <IPV4 nameserver 1>
     nameserver <IPV4 nameserver 2>
     nameserver <IPV4 nameserver 3>

Having multiple "domain" entries is illegal by my reading of the
resolv.conf man page, and indeed I'm unable to resolve domain names
until I edit resolv.conf by hand and change the first line to "domain
comany.com". What is the correct behavior in the case where multiple
DNS search domains are returned by the server? Should vpnc-script be
prefixing the domain list with the "search" keyword, rather than
"domain" ?


More information about the openconnect-devel mailing list