Hi everyone. I can reproduce the error too upgrading to 0.14 vpn-slice.
Attached full logs (--dump -vv)

vpn-0.14-error.log

Thanks by this great tool @dlenski

from vpn-slice.

@crossance, can you try the version in #56? I'm not in the habit of using short names, but I do get a search domain from my VPN, and this change fixed the issue for me. We were configuring the search domains on the wrong attribute of the resolver. (This kind of thing is why I prefer statically-typed langauges, but 🤷 . Maybe we should create a ticket to add type hints to all the things and start running mypy.)

from vpn-slice.

@crossance, can you try the version in #56? I'm not in the habit of using short names, but I do get a search domain from my VPN, and this change fixed the issue for me. We were configuring the search domains on the wrong attribute of the resolver. (This kind of thing is why I prefer statically-typed langauges, but shrug . Maybe we should create a ticket to add type hints to all the things and start running mypy.)

Happy to report back that this commit solved the issue for me.

from vpn-slice.

I am sorry for my "tone" earlier. I was not trying to offend. I was just frustrated.

Thanks for the additional information. When I have a chance to do some more troubleshooting, I will let you know what I find. I will also do some more research on my own and see if I can figure out what is going on at the remote server.

In the meantime, I will lock my daily driver machine to version 0.13.

thanks again

from vpn-slice.

my script includes -i option to get machine names on the remote network

That's not at all what the -i option does:

Routing and hostname options:
  -i, --incoming        Allow incoming traffic from VPN (default is to block)

After 0.14 upgrade, I can no longer access machines by name - I have to use the IP address of the machine I want to access

It sounds like the new DNS lookup mechanism in vpn-slice v0.14 broke for you (switched to using https://github.com/rthalley/dnspython instead of dig in v0.14), although I didn't get any earlier reports of issues with this. It's unrelated to the -i option.

What happens if you add --dump -vv to your vpn-slice options? It should give additional information about the DNS servers used and perhaps some additional insight into what's going wrong here.

from vpn-slice.

First, the DNS Servers are properly allocated for both 0.13 and 0.14
When using 0.13, machine dns lookups work fine.
When using 0.14 machine dns lookups result in following error:
i added '--dump -vv' to my vpn-slice options

WARNING: Lookup for DLE_LAB_1 on VPN DNS servers failed:
	All nameservers failed to answer the query DLE_LAB_1. IN A: Server 10.30.64.2 UDP port 53 answered SERVFAIL; Server 10.30.64.3 UDP port 53 answered SERVFAIL

in example, the machine name is DLE_LAB_1, and the DNS Servers are 10.30.64.2 and 10.30.64.3
when using 0.13, the DLE_LAB_1 returns 10.30.66.66
Where do I begin to look for the problem?

from vpn-slice.

I am guessing that your target host has something other than an A record (standard name->IPv4 DNS record).

Try looking up the target system via another utility (e.g. dig @10.30.64.2 @10.30.64.3 DLE_LAB_1) after connecting to the VPN. This should clarify what type of record it returns and why.

from vpn-slice.

UPDATE: see below

I am guessing that your target host has something other than an A record (standard name->IPv4 DNS record).

Try looking up the target system via another utility (e.g. dig @10.30.64.2 @10.30.64.3 DLE_LAB_1) after connecting to the VPN. This should clarify what type of record it returns and why.

First, i executed the dig command above from a terminal (while connected) - I don't really know what the results actually mean - the following is when connected using vpn-slice version 0.13

; <<>> DiG 9.16.2 <<>> @10.30.64.2 @10.30.64.3 DLE_LAB_1
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 37553
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;DLE_LAB_1.			IN	A

;; Query time: 16 msec
;; SERVER: 10.30.64.2#53(10.30.64.2)
;; WHEN: Sun May 31 10:00:22 CDT 2020
;; MSG SIZE  rcvd: 38

Next: The whole point of using vpn-slice was to make this seamless. when you switched to dnspython the seamlessness broke. My question here is why did you switch? What are the benefits?

The beauty was that my hosts file was automatically updated when I connected to the remote system. Also, the updated entries were automatically deleted when I was disconnected from the remote system. This is sweet - this is what I need.

Further, I am not familiar with how DNS works, or what an 'A' record is .vs. other types of records.

The main question is -- How do I get the functionality back of automatically changing the hosts file? I suppose I could add to my script to update the hosts file with the machines I need to access. This will take some work on my part, and I might end up screwing something up. Or maybe I could clone vpn-slice and make local changes to keep the functionality I need, but then I would need to independently build my personal branch each time the upstream repository changed - which adds the possibility of something breaking every time you make a change.

Please advise

##### UPDATE

some of the machine names have short versions and long versions. for instance, when I query using the long name, I get a good answer (note the full name is modified for security reasons)

dig @10.30.64.2 @10.30.64.3 dle_lab_1.full.us

; <<>> DiG 9.16.2 <<>> @10.30.64.2 @10.30.64.3 dle_lab_1.full.us
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16409
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;dle_lab_1.full.us.		IN	A

;; ANSWER SECTION:
dle_lab_1.full.us.	1200	IN	A	10.30.66.66

;; Query time: 16 msec
;; SERVER: 10.30.64.2#53(10.30.64.2)
;; WHEN: Sun May 31 10:37:35 CDT 2020
;; MSG SIZE  rcvd: 63

vpn-slice version 0.13 will make the following entry into the hosts file, even though I only asked for the short version of the machine name

10.30.66.66 DLE_LAB_1.full.us DLE_LAB_1		# vpn-slice-tun0 AUTOCREATED

Of course, version 0.14 returns nothing for any machine names, even when I DO ask for the full machine name - ie: 'dle_lab_1.full.us'.

from vpn-slice.

I get that this change broke your setup, and I would like to figure out why and fix it, but the tone in this report is not really helpful or motivational.

Next: The whole point of using vpn-slice was to make this seamless. when you switched to dnspython the seamlessness broke. My question here is why did you switch? What are the benefits?

I wrote this tool initially because it was necessary for me in my previous job, then rewrote a better version in my spare time because I believe in open source software and thought it'd be useful for other people too. (One other user, @gmacon, has also made a very substantial contribution to the code.)

I have no idea how many people use vpn-slice. I didn't know until now that any Linux distributions package it. I am interested in adding a test suite, but coverage for this kind of issue would be extremely challenging.

For "the switch" that you're asking about, I did it precisely to avoid bugs in DNS lookup; I asked a few of the other contributors and users I know of to test it, and received positive feedback.

Further, I am not familiar with how DNS works, or what an 'A' record is .vs. other types of records.

I am not a mind-reader about your VPN. I knew a lot less about DNS before I started working on vpn-slice too. I am certainly not an expert now. I had to learn.

from vpn-slice.

some of the machine names have short versions and long versions. for instance, when I query using the long name, I get a good answer (note the full name is modified for security reasons)

Okay, this update is constructive. Thank you. 👍

From your original comment, a query of the "short name" gives no IP address…

First, i executed the dig command above from a terminal (while connected) - I don't really know what the results actually mean - the following is when connected using vpn-slice version 0.13

; <<>> DiG 9.16.2 <<>> @10.30.64.2 @10.30.64.3 DLE_LAB_1
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 37553
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;DLE_LAB_1. IN A

;; Query time: 16 msec
;; SERVER: 10.30.64.2#53(10.30.64.2)
;; WHEN: Sun May 31 10:00:22 CDT 2020
;; MSG SIZE rcvd: 38

From the update, a query of the FQDN gives the IP address:

some of the machine names have short versions and long versions. for instance, when I query using the long name, I get a good answer (note the full name is modified for security reasons)

dig @10.30.64.2 @10.30.64.3 dle_lab_1.full.us

dle_lab_1.full.us. 1200 IN A 10.30.66.66

This differences doesn't fully explain what broke though, because v0.14 is intended to ignore such empty responses to a query, just as v0.13 does.

Let me think about how to do additional testing here.

from vpn-slice.

As a temporary workaround… simply putting dle_lab_1.full.us on your vpn-slice command line (instead of just dle_lab_1) should make v0.14 continue working.

To debug the problem, try applying this patch on v0.14. It will print a ton of extra details while doing the DNS lookups…

diff --git a/vpn_slice/dnspython.py b/vpn_slice/dnspython.py
index 707abcd..15f2e62 100644
--- a/vpn_slice/dnspython.py
+++ b/vpn_slice/dnspython.py
@@ -1,3 +1,4 @@
+from sys import stderr
 from ipaddress import ip_address
 from dns.resolver import Resolver, NXDOMAIN, NoAnswer
 from dns.name import root, from_text
@@ -31,7 +32,10 @@ class DNSPythonProvider(DNSProvider):
 
             for rectype in self.rectypes:
                 try:
+                    print("Issuing query for hostname %r, rectype %r, source %r, search_domains %r, nameservers %r" % (
+                        hostname, rectype, source, self.resolver.search_domains, self.resolver.nameservers), file=stderr)
                     a = self.resolver.query(hostname, rectype, source=str(source))
+                    print("Got results: %r" % list(a), file=stderr)
                 except (NXDOMAIN, NoAnswer):
                     pass
                 else:

from vpn-slice.

Sounds good. I tried to reproduce this on a VPN that I have access to, but cannot.

I imagine there is something slightly different about the semantics of the "search domain" in dnspython vs. with dig, but I don't know what it is.

from vpn-slice.

@atrujillofalcon and @TecMunky, this issue may be related to #54

It seems like dnspython is having some problems handling the replies from certain DNS servers, in a way that dig didn't have. We're trying to nail down the details in that issue, but I'm still not able to reproduce it myself.

from vpn-slice.

@atrujillofalcon, do you have the same result when you add the FQDN instead of the short name?

e.g. replace srvlrabdes01→srvlrabdes01.agbar.net (or whatever the full domain name is) in your command-line of sudo openconnect --protocol=gp dummy.vpn.url -s 'vpn-slice srvlrabdes01 srvlrabint01 srvlrabint02 srvlrabpro01 srvlrabpro02 srvelabpro01 srvelabpro02 algol.agbar.local algolint.agbar.local testvlan.agbar.ga.local cmint.agbar.local gitlab.agbar.net sicabd.agbar.local sicabp.agbar.locall' --dump -vv .

from vpn-slice.

ALL:
It seems my issue has been overcome by events. My employer is switching from a Cisco VPN to a Sophos VPN. I will need to figure out how to split my dns over openVPN.

from vpn-slice.

@dlenski

So I think I want to re-write this as a stand-alone post-connection script to update the hosts file with the ip address of the machine names (the ones that follow 'vpn-slice' in the command).

Where would I start in the code to figure this out.

thanks.

from vpn-slice.

Where would I start in the code to figure this out.

This is the most intricate part of what vpn-slice does, because it involves using the DNS servers after connecting to the VPN and manipulating the host files. Try running with --dump -vv to log more details of what vpn-slice is doing.

Take a look at these sections of the code, in particular:

https://github.com/dlenski/vpn-slice/blob/master/vpn_slice/posix.py#L69-L91
https://github.com/dlenski/vpn-slice/blob/master/vpn_slice/__main__.py#L216-L251

from vpn-slice.

I am facing the same issue after installing 0.14 where I get:

WARNING: Lookup for [short name] on VPN DNS servers returned nothing.

Two workarounds that I can attest to:

1. Full domain name eg. from hrportal to hrportal.google.com
   This is somewhat cumbersome since I have a long list.
2. Downgrade to older version 0.12 (presumably before dnspython)
   A quick fix.

Taking this opportunity to say thanks to @dlenski for the great work, I am sure it helped a lot of people during this WFH period.

from vpn-slice.

@crossance Please try the latest version with #55 merged. This fixes #54, which may be related to this issue. I need more users to test or give information before I can be sure that they're actually related.

from vpn-slice.

@crossance Please try the latest version with #55 merged. This fixes #54, which may be related to this issue. I need more users to test or give information before I can be sure that they're actually related.

The latest version did not work for me.

from vpn-slice.