DNS server list has strange separator

Dimitri Papadopoulos Orfanos dimitri.papadopoulos at cea.fr
Fri Jun 23 05:14:12 PDT 2023 

Hi Aaron,

My wrong, I have been mixing up two different things:

* search domains, which are typically found in the XML configuration 
sent by the Fortigate, inside a single XML element, with ';' or "," as 
the separator:
   <dns domain='sub1.redacted.com;sub2.redacted.com' />

* name servers, which are typically sent by IP address, *not* by DNS 
name, and found in distinct XML elements sent by the Fortigate:
   <dns ip='ns1.redacted.com' /><dns ip='ns2.redacted.com' />
while in your case the server appears to be sending something like this:
   <dns ip='ns1.redacted.com\059ns2.redacted.com' />

Two things are different from what we are used to:
1. the DNS servers are transmitted by DNS name rather than IP address,
2. the DNS servers appear to be defined in the same XML element.

I have opened an issue here:
https://gitlab.com/openconnect/openconnect/-/issues/634

Could you run "openfortivpn -v -v - --dump-http-traffic", extract from 
the output the XML configuration sent by the Fortigate, and post the 
(redacted) XML configuration?

The XML configuration sent by the Fortigate starts with something like this:

<?xml version='1.0' encoding='utf-8'?><sslvpn-tunnel

Dimitri

Le 22/06/2023 à 16:21, Dimitri Papadopoulos a écrit :
> Hi,
> 
> Note that 59 is the decimal ASCII encoding for ";".
> 
> Also, 59 cannot is not an octal number, making the "\059" notation even 
> more awkward.
> 
> Therefore I suspect this is a problem with the Fortigate configuration. 
> Using my own corporate VPN, I do not see such a character:
> 
> At some point openconnect reports:
> 
> Got search domain 
> intra.xxxx.xxx;extra.xxxx.xxx;saclay.xxxx.xxx;partenaires.xxxx.xxx;xxxx.xxx
> 
> And after connecting, resolvectl reports:
> 
> $ resolvectl
> Global
>         Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
> resolv.conf mode: stub
> 
> Link 2 (enp0s31f6)
>      Current Scopes: DNS
>           Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS 
> DNSSEC=no/unsupported
> Current DNS Server: 8.8.8.8
>         DNS Servers: 8.8.8.8 192.168.0.254
> 
> Link 3 (tun0)
>      Current Scopes: DNS
>           Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS 
> DNSSEC=no/unsupported
> Current DNS Server: xxx.xxx.xxx.7
>         DNS Servers: xxx.xxx.xxx.7 xxx.xxx.xxx.6
>          DNS Domain: xxxx.xxx extra.xxxx.xxx intra.xxxx.xxx 
> partenaires.xxxx.xxx saclay.xxxx.xxx
> 
> 
> 
> We could work around this peculiar separator, but human imagination has 
> no limits, so where should we stop? More importantly, how do we know the 
> separator is "\059" and not "\"? I haven't read recent DNS RFCs, but I 
> suspect that "059ns2.redacted.com" is as legit as "ns2.redacted.com" 
> nowadays.
> 
> Let's try a different angle: Does FortiCLient handle this in a better way?
> 
> Dimitri
> 
> Le 22/06/2023 à 05:02, Aaron Smith a écrit :
>> Running on Ubuntu 23.04 and connecting to a system Fortinet running 
>> version
>> 4.71.113.194.
>>
>> After successful connection, the VPN routes and DNS server settings 
>> are applied
>> to my system. The DNS server list is correct, but the servers are 
>> separate by
>> '059' instead of a space character, as displayed by 'resolvectl' below
>>
>> ~/ resolvectl status
>> Link 2 (enxe04f439490d4) Current Scopes: DNS Protocols: +DefaultRoute 
>> +LLMNR
>> -mDNS -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 
>> 172.22.11.1 DNS
>> Servers: 172.22.11.1 DNS Domain: redacted.net
>>
>> Link 3 (wlp0s20f3) Current Scopes: none Protocols: -DefaultRoute 
>> +LLMNR -mDNS
>> -DNSOverTLS DNSSEC=no/unsupported
>>
>> Link 4 (vpn00449b7858) Current Scopes: none Protocols: -DefaultRoute 
>> +LLMNR
>> -mDNS -DNSOverTLS DNSSEC=no/unsupported
>>
>> Link 5 (vpn00fa8f88cb) Current Scopes: none Protocols: -DefaultRoute 
>> +LLMNR
>> -mDNS -DNSOverTLS DNSSEC=no/unsupported
>>
>> Link 6 (tun0) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS
>> -DNSOverTLS DNSSEC=no/unsupported
>>
>> Link 22 (tun1) Current Scopes: DNS Protocols: +DefaultRoute +LLMNR -mDNS
>> -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 10.0.60.2 DNS 
>> Servers:
>> 10.0.60.2 10.0.60.3 DNS Domain: ns1.redacted.com\059ns2.redacted.com
>>
>> ~/ openconnect --version OpenConnect version v9.01-3 Using GnuTLS 3.7.8.
>> Features present: TPMv2, PKCS#11, RSA software token, HOTP software 
>> token, TOTP
>> software token, Yubikey OATH, System keys, DTLS, ESP Supported protocols:
>> anyconnect (default), nc, gp, pulse, f5, fortinet, array Default 
>> vpnc-script
>> (override with --script): /usr/share/vpnc-scripts/vpnc-script
>> Global Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported 
>> resolv.conf
>> mode: stub DNS Domain redacted.com private.net
>>
>> _______________________________________________
>> openconnect-devel mailing list
>> openconnect-devel at lists.infradead.org
>> http://lists.infradead.org/mailman/listinfo/openconnect-devel
> 

-- 
Dimitri Papadopoulos
Université Paris-Saclay, CEA, NeuroSpin
91191 Gif-sur-Yvette
France
+33 (0)1 69 08 79 12

More information about the openconnect-devel mailing list