DNS resolution works for nslookup but fails in browser while using openconnect

Trying to use openconnect to connect to Cisco Anyconnect VPN.

I just did brew install openconnect and use it from cmd line like this:

sudo openconnect --authgroup=VPN-SSL-GROUP -u [email protected] vpn.domain.com

Then I try to access resource.domain.com name from private network and get:

  • in Chrome: DNS_PROBE_FINISHED_NXDOMAIN
  • in Network Utility -> Lookup: resource.domain.com -> The operation couldn’t be completed. (kCFErrorDomainCFNetwork error 2.)

BUT it gets resolved when I use nslookup from command line:

nslookup resource.domain.com
Server:         10.66.0.1
Address:        10.66.0.1#53

Non-authoritative answer:
Name:    resource.domain.com
Address: 10.66.110.24

I decided to check the content of /ect/resolv.conf:

nameserver 10.66.0.1
nameserver 10.66.0.2
nameserver 192.168.100.1 # (this is the DNS address of my home router)

and see that required DNS addresses used by nslookup are in place. (If I use resolved address in browser, I successfully access private resource, so routing works fine)

I googled a bit and learned that DNS resolution works not the way I can expect from Linux. There is a scutil utility which can help to manage actual DNS settings.

Here is a list of my DNS settings which I can see in scutil:

> list .*DNS
  subKey [0] = Setup:/Network/Service/47AA11B0-4713-41EF-B532-FC580ACD3E75/DNS
  subKey [1] = State:/Network/Global/DNS
  subKey [2] = State:/Network/MulticastDNS
  subKey [3] = State:/Network/PrivateDNS
  subKey [4] = State:/Network/Service/47AA11B0-4713-41EF-B532-FC580ACD3E75/DNS
  subKey [5] = State:/Network/Service/utun1/DNS # (this one appears when I am connected using openconnect)

The content of State:/Network/Global/DNS and State:/Network/Service/47AA11B0-4713-41EF-B532-FC580ACD3E75/DNS keys match and is equal to:

<dictionary> {
  ServerAddresses : <array> {
    0 : 10.66.0.1
    1 : 10.66.0.2
    2 : 192.168.100.1
  }
}

The content of State:/Network/Service/utun1/DNS (which only exists after openconnect established connection) is:

<dictionary> {
  DomainName : location.domain.com
  SearchDomains : <array> {
    0 : location.domain.com
  }
  ServerAddresses : <array> {
    0 : 10.66.0.1
    1 : 10.66.0.2
  }
  SupplementalMatchDomains : <array> {
    0 : location.domain.com
  }
}

The other dns-related keys are empty.

I also tried to go Preferences -> Network -> my Wy-Fi connection -> Advanced and set DNS addresses manually. Still does not work.

And I also learned about vpnc-script for openconnect. I found it already existed on my machine and tried to specify it explicitly: --script /usr/local/etc/vpnc-script but it did not help to resolve private domains.

From what I see in scutil it seems to be properly configured, but for some reasons DNS resolution does not work. Any ideas why? What else I can check and try?


Thanks to this answer: https://superuser.com/a/86245/356729

The command

networksetup -setdnsservers Wi-Fi 10.66.0.1, 10.66.0.2

solved the problem. When I disconnect, I also have to manually restore settings using:

networksetup -setdnsservers Wi-Fi 192.168.100.1