Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No support for "match domains" to send queries to right resolvers #496

Open
ghost opened this issue Dec 16, 2022 · 2 comments
Open

No support for "match domains" to send queries to right resolvers #496

ghost opened this issue Dec 16, 2022 · 2 comments
Labels
macOS upstream WireGuard

Comments

@ghost
Copy link

ghost commented Dec 16, 2022

Scenario:

  1. Have a VPN that uses "split tunnel", i.e. not all traffic goes over VPN
  2. "Scoped" DNS that requires DNS queries to some domains to go over the VPNs DNS server

In the client configuration file, you can configure this like this:

[Interface]
DNS = 192.168.1.5,example.org,example.com
...

[Peer]
AllowedIPs = 192.168.1.0/24, ....

This means that all DNS queries that are for the *.example.org or *.example.com domain MUST go to the 192.168.1.5 DNS server. All queries for other domains should go to the DNS resolver that was configured on the system before the VPN got up, i.e. the one provided by WiFi network or ethernet. On macOS all queries go to the 192.168.1.5 server once connected, and not to the "system" DNS any longer.

On Linux (NetworkManager) it works exactly like it should. On Windows, a query is sent to all DNS servers, which is technically not correct, but at least it works.

This is most likely an upstream WireGuard issue that should also be fixed there...

It seems scutil --dns shows it as being correctly configured.
@roop
Copy link
Collaborator

roop commented Feb 16, 2023

@fkooman: The hostnames in the DNS field in the wg-quick config are search domains, not match domains.

man wg-quick says:

DNS — a comma-separated list of IP (v4 or v6) addresses to be set as the interface's DNS servers, or non-IP hostnames to be set as the interface's DNS search domains.

To clarify search domains vs match domains: If we seat search domains as ["example.com"], it means that if we need to resolve "abc", the resolver should try to resolve "abc.example.com" first; If we set match domains as ["example.com"], it means only "example.com" and "*.example.com" queries should go to this resolver.

WireGuardKit (see PacketTunnelSettingsGenerator.swift) sets the wg-quick DNS hostnames as search domains, consistent with the man page. It sets match domains as [""], which makes all queries go through the tunnel's DNS resolver first. I don't think there's a way to specify match domains in a wg-quick config.

@ghost
Copy link
Author

ghost commented Feb 16, 2023

Interesting! That makes a lot of sense.

I don't think there's a way to specify match domains in a wg-quick config.

Is this something that should be added (upstream)? It seems like an important feature to have so you are not leaking your DNS queries to all configured DNS servers?

@ghost ghost mentioned this issue Sep 19, 2023
Open
@ghost ghost changed the title split tunnel /scoped DNS does not work No support for "match domains" to send queries to right resolves Sep 19, 2023
@ghost ghost changed the title No support for "match domains" to send queries to right resolves No support for "match domains" to send queries to right resolvels Sep 19, 2023
@ghost ghost changed the title No support for "match domains" to send queries to right resolvels No support for "match domains" to send queries to right resolvers Sep 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
macOS upstream WireGuard
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@roop