0

I am facing a problem with my mac on a Sophos Remote IpSec VPN. The VPN IpSec is set to be the Default Gateway. I can connect to the VPN, and I can join every IP on my remote network. I can dig and nslookup fqdn too, but cannot ping them:

ping: cannot resolve domain.local: Unknown host

I have make searches on Internet but cannot find a solution. I think it comes from my mac, because the "ping fqdn" did work, and then stop. No modifications has been made on the distant firewall (I am the only one that has access).

In brief, when I am connected to the VPN, I can join every machines and services with their IP address, but not with the local DNS. I can browse Internet through the VPN with no problem (I am actually connected to post this question).

I don't know very weel how OSX handle network configuration, it seems more complicated than a simple Debian server or a windows workstation (though).

I tried things like scutil --dns networksetup -listallnetworkservices that i didn't know, and get interesting information to help me, but didn't manage to resolve my problem.

From now I think I need other brains to help me, then I will learn a bit more to use my Mac, and I think it's not a bad thing. It's like the NIC know which DNS to ask to resolve name when using dig, but don't send them the request when ask (like ping in this case).

My ears, or my eyes are wide opened, thank you.

Improve this question
4
  • Looks like someone made a conflict by misusing a reserved domain. The IETF reserves the ".local" TLD for IETF ZeroConf (Apple calls their IETF ZeroConf implementation "Bonjour"). That means it's only for local multicast DNS (mDNS). You should never set up a unicast DNS server as if ".local" is its TLD. If you need a fake TLD for a DNS server, don't use ".local", use ".test".
    – Spiff
    Commented Nov 3, 2023 at 12:14
  • The venerable old dig and nslookup commands are for troubleshooting traditional unicast DNS servers. They have never been updated for the ZeroConf era (mDNS, etc.), so they don't know that ".local" has been reserved. To be good troubleshooting tools, they have their own built-in unicast DNS resolvers and don't use the system's DNS resolver. To use the system's DNS resolver from the command line, use the dns-sd command.
    – Spiff
    Commented Nov 3, 2023 at 12:27
  • Thank you for your comment, I will give a try to 'dns -sd'. domain.local was for the example, I replace the local domain fqdn by domain.local, sorry for the misunderstanding. Thereal local domain is another one I don't want to publish here.
    – tasseb
    Commented Nov 3, 2023 at 12:54
  • There's no space in dns-sd. The hyphen is part of the command name. BTW "example.com" is a domain name reserved for examples.
    – Spiff
    Commented Nov 3, 2023 at 13:03

1 Answer 1

Reset to default
0

Ok, found a way to make it works. I found two resources that help me to resolve my problem: rakhesh.com MacOS VPN doesn’t use the VPN DNS
vNinja.net macOS: Using Custom DNS Resolvers

So from these two resources here are the steps too join my local fqdn when I am connected to my vpn (Sophos Remote IpSec with Sophos vpn client). In this example, my local domain will be local.foo.bar. The local DNS ip address that is the authority of this local domain is 10.10.10.10/24

  1. Create folder /etc/resolver

  2. Create and edit the file named with the local domain I want to resolve sudo vim /etc/resolver/lab.ecinf.ch

  3. File content

     ```
 domain local.foo.bar
 search local.foo.bar
 nameserver 10.10.10.10
 search_order 1
 timeout 5
 ```

I put this resolver in higher priority, because I want it to be used first when I am connected to the VPN. When I am disconnected, this domain is not joinable, so I don't care. The timeout 5 is taken from the rakhesh.com's blog, and it's "timeout of 5 seconds so it doens’t spend too much time trying to contact the name server if the VPN is not connected".

  1. Save the file
  2. Flush cache DNS sudo killall -HUP mDNSResponder
  3. Verification scutil --dns

Hope it will help other that meets the issue. Hope that it isn't something bad to do this. If someone is a network guru over there, please tell me if I have make something wrong or if it's not best practice at all.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .