Unable to resolve domain names when connected to Juniper Pulse Connect Secure VPN server

[Chris O'Brien]

Hello,

I'm using openconnect (built from
git://git.infradead.org/users/dwmw2/openconnect.git) on an Arch Linux
machine to establish a connection to a Juniper Pulse Connect Secure
VPN server. I'm invoking openconnect like so:

    openconnect --juniper -C "DSID=<cookie>" --cafile <cert> <server>

If I dump HTTP authentication traffic (--dump-http-traffic) I see DNS
search domain info being returned similar to:

   Received DNS search domain company.com, subdomain1.company.com,
subdomain2.company.com

vnpc-script uses the following logic to add this information to resolv.conf:

   # === resolv.conf handling via /usr/sbin/resolvconf (Debian,
Ubuntu, Gentoo)) =========

   modify_resolvconf_manager() {
            NEW_RESOLVCONF=""
            for i in $INTERNAL_IP4_DNS; do
                    NEW_RESOLVCONF="$NEW_RESOLVCONF nameserver $i"
            done
            if [ -n "$CISCO_DEF_DOMAIN" ]; then
                    NEW_RESOLVCONF="$NEW_RESOLVCONF domain $CISCO_DEF_DOMAIN"
            fi
            echo "$NEW_RESOLVCONF" | /usr/sbin/resolvconf -a $TUNDEV
  }

This ultimately leaves me with a resolv.conf that looks something like:

     # Generated by resolvconf
     domain company.com subdomain1.company.com subdomain2.company.com
     search company.com subdomain1.company.com subdomain2.company.com home
     nameserver <IPV4 nameserver 1>
     nameserver <IPV4 nameserver 2>
     nameserver <IPV4 nameserver 3>

Having multiple "domain" entries is illegal by my reading of the
resolv.conf man page, and indeed I'm unable to resolve domain names
until I edit resolv.conf by hand and change the first line to "domain
comany.com". What is the correct behavior in the case where multiple
DNS search domains are returned by the server? Should vpnc-script be
prefixing the domain list with the "search" keyword, rather than
"domain" ?

Thanks,
Chris