Unable to get split DNS working with Wireguard

Question

Unable to get split DNS working with Wireguard

Opened this issue 8 months ago · 2 comments

Summary

I was hoping that Passepartout supports what the native WG client does not: Split DNS. But it looks like it does not work as intended.

Steps to reproduce

Configure manual DNS by setting the DNS server IP to the internal DNS server (e.g. 172.16.1.1)
Configure the domain and search domain to point to the internal domain (e.g. internal.domain)

What is the current bug behavior?

172.16.1.1 will be used as default DNS server on iOS and macOS. This can be observed by checking the network traffic and will show that domains like apple.com are resolved through it as well.

What is the expected correct behavior?

172.16.1.1 should only receive DNS queries for internal.domain and it's subdomains, but not any other DNS queries.

Relevant logs and/or screenshots

Observations from `scutil` output on macOS

Global DNS settings will show the LAN search domain but the VPN DNS server

> show State:/Network/Global/DNS
<dictionary> {
  SearchDomains : <array> {
    0 : lan
  }
  SearchOrder : 103800
  ServerAddresses : <array> {
    0 : 172.16.1.1
  }
  __CONFIGURATION_ID__ : Supplemental: 62FCF1C9-F651-4A03-9FEB-06A8476BB97A 0
  __FLAGS__ : 16390
  __ORDER__ : 0
}

The VPN DNS configuration includes an empty string in SupplementalMatchDomains

> show State:/Network/Service/62FCF1C9-F651-4A03-9FEB-06A8476BB97A/DNS
<dictionary> {
  SearchDomains : <array> {
    0 : internal.domain
    1 : internal.domain
  }
  ServerAddresses : <array> {
    0 : 172.16.1.1
  }
  SupplementalMatchDomains : <array> {
    0 : 
  }
}

Configuration screenshot

Possible fixes suggested remediation

SupplementalMatchDomains being set to an empty string explains the behaviour (Apple documentation). Cloud it be that matchDomains is set to a value that includes and empty string?

Answer 1 · 2024-11-18T21:41:57.000Z

I've been building my own Wireguard app in macOS for a while now which includes this PR: WireGuard/wireguard-apple#11

It makes split DNS usable -- please consider incorporating it! You would have the privilege of offering the only (???) app store wireguard VPN with support for split DNS. (which wasn't bound to a specific VPN service, that is. I'm fairly sure the commercial offerings based on Wireguard make use of this macOS API already.)

Answer 2 · 2024-11-19T08:31:50.000Z

@uberjay thanks, I'll give it a look.