openfortivpn icon indicating copy to clipboard operation
openfortivpn copied to clipboard

Published 20 hours ago verified publisher icon adrienverge

split DNS

Open andreworg opened this issue 4 years ago • 16 comments

Looks like I am not getting DNSs from my SSL VPN.

I get this on the logs:

INFO: Got addresses: [10.10.10.1], ns [0.0.0.0, 0.0.0.0]

Split DNS works fine accessing the same profile from Forticlient/Win.

I am running 1.12.0 but the same happened on 1.11.0. Gateway runs FortiOS 6.2.3 but the same happened on 6.0.7.

andreworg avatar Mar 10 '20 22:03 andreworg

I guess the FortiGate device is not properly configured: as far as I can see it provides incorrect DNS server information. Note that FortiClient on Windows might be using IPSec, not VPN SSL. As far as I can see they are configured differently on the FortiGate device: IPSec

config vpn ipsec phase1-interface
          set ipv4-dns-server1 {ipv4-address}
          set ipv4-dns-server2 {ipv4-address}
          set ipv4-dns-server3 {ipv4-address}

VPN SSL

config vpn ssl settings
      set dns-server1 {ipv4-address}
      set dns-server2 {ipv4-address}

DimitriPapadopoulos avatar Mar 11 '20 06:03 DimitriPapadopoulos

Hi, thanks for your reply. Maybe my question was not clear enough. I am talking about split DNS, not global DNS. In terms of FortiOS config:

config vpn ssl web portal
    edit "myportal"
        config split-dns
            edit 1
                set domains "mydomain1.local,mydomain2.local"
                set dns-server1 10.10.10.10
                set dns-server2 10.10.10.11
            next
        end
    next
end

config vpn ssl settings is a global (as opposed to per-portal) setting, and refers to the DNS servers that are assigned to the client when the SSL VPN connection is initiated. You can leave these unset, meaning that the client will use its own DNS settings. This corresponds to the "Same as client system DNS" in the GUI, VPN --> SSL VPN Settings. AFAIK this is perfectly compatible with the split DNS configuration above.

I was actually mistaken, and probably misleading, in thinking that the log message in my original post was about split DNS. Now I see it belongs to the "main" DNS settings, and zeroes mean leave system DNS as it is. openfortivpn behaves correctly in this regard. Nonetheless my question still stands. When I connect to the "myportal" SSL VPN in tunnel mode on Windows with Forticlient, the names matching the domains listed in the split DNS configuration are correctly resolved by the internal servers, while the other names are resolved by the global DNSs. When I connect to the same SSL VPN tunnel with openfortivpn, this does not happen.

I searched the logs at max verbosity for hints about my local DNSs, and found nothing apart from the XML dump of http_receive, with the portal settings.

<split-dns domains='mydomain1.local,mydomain2.local' dnsserver1='10.10.10.10' dnsserver2='10.10.10.11' />

n.b. traffic to the local DNS servers is enabled in the rules and routes are being set correctly.

My conclusion is that openfortivpn does not currently support split DNS.

andreworg avatar Mar 13 '20 21:03 andreworg

Ah, since I don't own a FortiGate appliance myself I am not aware of all options. Indeed the current code only parses:

<dns ip='...' />

<dns domain='... />

It looks like we should also parse:

<split-dns domains='...,...' dnsserver1='...' dnsserver2='...' />

DimitriPapadopoulos avatar Mar 14 '20 14:03 DimitriPapadopoulos

Unfortunately, it's more complex. We also have to manipulate the process of DNS resolution then, and send the requests for those domains to the appropriate servers whereas requests for all other domains shall still be sent to the system DNS servers.

mrbaseman avatar Mar 16 '20 14:03 mrbaseman

I don't know openfortivpn's internals, but from what I gather I suspected that it would not be easy. I guess it does not operate above L3. Quickest thing I can think is spawning a dnsmasq on the fly. Probably systemd can be used too, not sure though.

andreworg avatar Mar 16 '20 16:03 andreworg

Fedora 33 is expected to switch to systemd-resolved which might (or not?) help configuring split DNS.

DimitriPapadopoulos avatar Apr 15 '20 11:04 DimitriPapadopoulos

this could help, yes, but we are still left with the tasks

  • support systemd-resolved and use it if it's available and in use on the system at runtime
  • parse the configuration in the xml
  • notify systemd-resolved about the domains that shall be resolved over the tunnel

mrbaseman avatar Apr 15 '20 13:04 mrbaseman

According to the FortiClient Administration Guide support for split DNS has been introduced in FortiClient 6.0.3:

FortiClient 6.0.3

Split DNS support for SSL VPN

FortiClient now supports split DNS tunneling for SSL VPN. See Configuring SSL VPN connections.

DimitriPapadopoulos avatar May 28 '20 07:05 DimitriPapadopoulos

Please do not make openfortivpn, or support of split dns in openfortivpn, require systemd.

rknop avatar Oct 01 '20 11:10 rknop

Some Linux systems do not support systemd but yes, systemd and NetworkManager should be used when available. There is already at least one ticket about that.

DimitriPapadopoulos avatar Oct 01 '20 12:10 DimitriPapadopoulos

@DimitriPapadopoulos

According to the FortiClient Administration Guide support for split DNS has been introduced in FortiClient 6.0.3:

That may be true for Windows and probably MacOS for latest versions.

@rknop

openfortivpn as it is now - and as it supposedly will ever be - relies on the rest of the stack to do DNS resolution. What can be done is make openfortivpn interact with something that will take care of split DNS. One option is to use systemd-resolved, but there are others, e.g. dnsmasq, see this link. Also look at the link at the start of that article, NetworkManager has a dnsmasq plugin (disclaimer: I just found out about it).

andreworg avatar Oct 03 '20 17:10 andreworg

An interesting article about "split DNS" has been published on Fedora magazine: https://fedoramagazine.org/systemd-resolved-introduction-to-split-dns/

angystardust avatar Oct 17 '20 08:10 angystardust

An interesting article about "split DNS" has been published on Fedora magazine: https://fedoramagazine.org/systemd-resolved-introduction-to-split-dns/

Unfortunately it focuses on systemd-resolved while most desktop distributions use NetworkManager. I still fail to find an overview explaining the different subsystems related to name resolution, how they interact, what API they offer to programmers, what to expect on major Linux platforms such as Debian, Ubuntu, RHEL or Fedora (desktop and server versions as they may differ). Of course I'm not saying systemd-resolved is not a step in the right direction, just that name resolution in the current Linux ecosystem is fragmented and complex.

DimitriPapadopoulos avatar Oct 17 '20 12:10 DimitriPapadopoulos

name resolution in the current Linux ecosystem is fragmented and complex.

Sadly, that is completely accurate. History suggests that systemd will "solve" this issue, possibly in a way that will piss off many.

andreworg avatar Oct 21 '20 09:10 andreworg

I don't think any VPN software should bother to implement this. You just need to support the same interface as for example OpenVPN to call a helper that sorts this out. Either https://github.com/jonathanio/update-systemd-resolved or if you want something that fucks around with resolve.conf

But I think there is only madness in trying to do this yourself. And with all the known issues with resolv.conf (hence all the existing workarounds) I also don't think breaking that is a good default behavior at all. (Except perhaps on some *BSD)

tbaumann avatar Nov 06 '23 12:11 tbaumann

My idea would be to move to vpnc-scripts to handle routing and DNS, but I won't have time to implement that in the foreseeable future (see #600 and #678).

DimitriPapadopoulos avatar Nov 06 '23 12:11 DimitriPapadopoulos