VPN messes up DNS resolution

After connecting with the Kerio VPN client (OS X Leopard) to a server, the internet (~web browsing) stopped working for the client.

After poking around, the issue seems to be bad DNS server (i.e., entering IPs directly works). After disconnecting from the VPN, the invalid DNS server disappears from scutil --dns and all's well again.

Now, I don't understand why OS X on the client even changes the DNS settings -- internet should be routed through a different interface, through the default gateway, not through the VPN.

Questions:

  1. By what mechanism does connecting the VPN client change the "default" DNS server?
  2. How can I stop the VPN client from changing routing/DNS rules? Where is this stuff stored/modified?

Before VPN:

$ scutil --dns
DNS configuration

resolver #1
  nameserver[0] : 10.66.77.1 # <---- default gateway = home router; all good
  order   : 200000

resolver #2
  domain : local
  options : mdns
  timeout : 2
  order   : 300000

...

VPN connected:

$ scutil --dns
DNS configuration

resolver #1
  nameserver[0] : 192.168.1.1 # <--- rubbish
  nameserver[1] : 192.168.2.1
  order   : 200000

resolver #2
  domain : local
  options : mdns
  timeout : 2
  order   : 300000

...

The VPN doesn't appear among $ networksetup -listallnetworkservices. It also doesn't appear in the "Network" dialogue of System Preferences. ifconfig reports it as

kvnet0: flags=8842<BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1400
inet 192.168.2.9 netmask 0xffffff00 broadcast 192.168.2.255
ether 44:45:53:54:4f:53

EDIT: progress -- according to Kerio VPN docs:

The VPN server also assigns the client an address for the primary, and
optionally also secondary DNS server and DNS domain extension. This 
allows to specify remote hosts with their names.

The change of DNS configuration has such effect that all DNS queries 
from the client host are sent to a DNS server in a remote private 
network. Users usually do not even notice any change. Upon closing of
the VPN connection, the original DNS configuration will be recovered.

How do they do that, and how do I stop them from doing it (switch DNS back without closing the VPN)?


Solution 1:

Regarding your first question, how does the VPN change the default DNS, I don't know the mechanism, but OSX provides programmatic access to networking settings via the DynamicStore APIs as well as via utilities like networksetup and scutil. This Apple doc has more info on how the settings are maintained internally. I would suppose built-in or third party-defined VPNs use those facilities.

Regarding your second question, how to stop the change, you can manually set the DNS associated with the VPN by going into Network Prefeferences, choosing the VPN network, going into Advanced, and inserting your own DNS servers there. Also, it might suffice simply to change the "service order" via the settings drop down button in the Network Preferences pane. If the WiFi or Ethernet network is listed before the VPN network, then its DNS may take precedence in some cases.

However, probably your problem is more subtle and what you would actually like is to use the VPN's DNS servers for certain domain names (assets inside the VPN) and your normal DNS servers for the rest of the Internet. This is not what's happening now because the VPN's DNS servers are serving all your DNS queries.

If you lookup the OSX man page on resolver(5), and especially the section SEARCH STRATEGY, you can see that OSX has an internal mechanism which allows you to define multiple DNS resolvers, where some resolves serve some domains (like *.mycompany.com) and other resolvers serve everything else. However, this cannot be configured from the Network Preferences pane.

It seems you can configure this partly by adding resolver configuration files into /etc/resolvers. However, I don't know if those would take precedence over the ones installed by your VPN. If they do not, your next best bet would be to use scutil to explicitly edit and replace the DNS settings created by the VPN client. If you run scutil, and do

show State:/Network/Global/DNS

you will probably see the offending DNS settings created by your VPN client. You should be able to remove or modify them using the scutil interactive commands.

You should also verify the VPN is not breaking routing to the Internet. Usenetstat -r before and after starting the VPN to see what happens to the default route, in order to check that.