Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to get split DNS working with Wireguard #503

Open
awein opened this issue May 9, 2024 · 3 comments
Open

Unable to get split DNS working with Wireguard #503

awein opened this issue May 9, 2024 · 3 comments
Labels
bug Something isn't working

Comments

@awein
Copy link

awein commented May 9, 2024

Summary

I was hoping that Passepartout supports what the native WG client does not: Split DNS. But it looks like it does not work as intended.

Steps to reproduce

  • Configure manual DNS by setting the DNS server IP to the internal DNS server (e.g. 172.16.1.1)
  • Configure the domain and search domain to point to the internal domain (e.g. internal.domain)

What is the current bug behavior?

172.16.1.1 will be used as default DNS server on iOS and macOS. This can be observed by checking the network traffic and will show that domains like apple.com are resolved through it as well.

What is the expected correct behavior?

172.16.1.1 should only receive DNS queries for internal.domain and it's subdomains, but not any other DNS queries.

Relevant logs and/or screenshots

Observations from scutil output on macOS

  • Global DNS settings will show the LAN search domain but the VPN DNS server
> show State:/Network/Global/DNS
<dictionary> {
  SearchDomains : <array> {
    0 : lan
  }
  SearchOrder : 103800
  ServerAddresses : <array> {
    0 : 172.16.1.1
  }
  __CONFIGURATION_ID__ : Supplemental: 62FCF1C9-F651-4A03-9FEB-06A8476BB97A 0
  __FLAGS__ : 16390
  __ORDER__ : 0
}
  • The VPN DNS configuration includes an empty string in SupplementalMatchDomains
> show State:/Network/Service/62FCF1C9-F651-4A03-9FEB-06A8476BB97A/DNS
<dictionary> {
  SearchDomains : <array> {
    0 : internal.domain
    1 : internal.domain
  }
  ServerAddresses : <array> {
    0 : 172.16.1.1
  }
  SupplementalMatchDomains : <array> {
    0 : 
  }
}

Configuration screenshot

image

Possible fixes suggested remediation

SupplementalMatchDomains being set to an empty string explains the behaviour (Apple documentation). Cloud it be that matchDomains is set to a value that includes and empty string?

@awein awein added the bug Something isn't working label May 9, 2024
@uberjay
Copy link

uberjay commented Nov 18, 2024

I've been building my own Wireguard app in macOS for a while now which includes this PR: WireGuard/wireguard-apple#11

It makes split DNS usable -- please consider incorporating it! You would have the privilege of offering the only (???) app store wireguard VPN with support for split DNS. (which wasn't bound to a specific VPN service, that is. I'm fairly sure the commercial offerings based on Wireguard make use of this macOS API already.)

@keeshux
Copy link
Member

keeshux commented Nov 19, 2024

@uberjay thanks, I'll give it a look.

@keeshux
Copy link
Member

keeshux commented Jan 19, 2025

@keeshux keeshux added this to the Inconsistencies with DNS milestone Jan 19, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants