Comments (20)
Hi everyone. I can reproduce the error too upgrading to 0.14 vpn-slice.
Attached full logs (--dump -vv)
Thanks by this great tool @dlenski
from vpn-slice.
@crossance, can you try the version in #56? I'm not in the habit of using short names, but I do get a search domain from my VPN, and this change fixed the issue for me. We were configuring the search domains on the wrong attribute of the resolver. (This kind of thing is why I prefer statically-typed langauges, but 🤷 . Maybe we should create a ticket to add type hints to all the things and start running mypy.)
from vpn-slice.
@crossance, can you try the version in #56? I'm not in the habit of using short names, but I do get a search domain from my VPN, and this change fixed the issue for me. We were configuring the search domains on the wrong attribute of the resolver. (This kind of thing is why I prefer statically-typed langauges, but shrug . Maybe we should create a ticket to add type hints to all the things and start running mypy.)
Happy to report back that this commit solved the issue for me.
from vpn-slice.
I am sorry for my "tone" earlier. I was not trying to offend. I was just frustrated.
Thanks for the additional information. When I have a chance to do some more troubleshooting, I will let you know what I find. I will also do some more research on my own and see if I can figure out what is going on at the remote server.
In the meantime, I will lock my daily driver machine to version 0.13.
thanks again
from vpn-slice.
my script includes -i option to get machine names on the remote network
That's not at all what the -i
option does:
Routing and hostname options:
-i, --incoming Allow incoming traffic from VPN (default is to block)
After 0.14 upgrade, I can no longer access machines by name - I have to use the IP address of the machine I want to access
It sounds like the new DNS lookup mechanism in vpn-slice
v0.14 broke for you (switched to using https://github.com/rthalley/dnspython instead of dig
in v0.14), although I didn't get any earlier reports of issues with this. It's unrelated to the -i
option.
What happens if you add --dump -vv
to your vpn-slice
options? It should give additional information about the DNS servers used and perhaps some additional insight into what's going wrong here.
from vpn-slice.
First, the DNS Servers are properly allocated for both 0.13 and 0.14
When using 0.13, machine dns lookups work fine.
When using 0.14 machine dns lookups result in following error:
i added '--dump -vv' to my vpn-slice options
WARNING: Lookup for DLE_LAB_1 on VPN DNS servers failed:
All nameservers failed to answer the query DLE_LAB_1. IN A: Server 10.30.64.2 UDP port 53 answered SERVFAIL; Server 10.30.64.3 UDP port 53 answered SERVFAIL
in example, the machine name is DLE_LAB_1, and the DNS Servers are 10.30.64.2 and 10.30.64.3
when using 0.13, the DLE_LAB_1 returns 10.30.66.66
Where do I begin to look for the problem?
from vpn-slice.
I am guessing that your target host has something other than an A
record (standard name->IPv4 DNS record).
Try looking up the target system via another utility (e.g. dig @10.30.64.2 @10.30.64.3 DLE_LAB_1
) after connecting to the VPN. This should clarify what type of record it returns and why.
from vpn-slice.
UPDATE: see below
I am guessing that your target host has something other than an
A
record (standard name->IPv4 DNS record).Try looking up the target system via another utility (e.g.
dig @10.30.64.2 @10.30.64.3 DLE_LAB_1
) after connecting to the VPN. This should clarify what type of record it returns and why.
First, i executed the dig command above from a terminal (while connected) - I don't really know what the results actually mean - the following is when connected using vpn-slice version 0.13
; <<>> DiG 9.16.2 <<>> @10.30.64.2 @10.30.64.3 DLE_LAB_1
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 37553
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;DLE_LAB_1. IN A
;; Query time: 16 msec
;; SERVER: 10.30.64.2#53(10.30.64.2)
;; WHEN: Sun May 31 10:00:22 CDT 2020
;; MSG SIZE rcvd: 38
Next: The whole point of using vpn-slice was to make this seamless. when you switched to dnspython the seamlessness broke. My question here is why did you switch? What are the benefits?
The beauty was that my hosts file was automatically updated when I connected to the remote system. Also, the updated entries were automatically deleted when I was disconnected from the remote system. This is sweet - this is what I need.
Further, I am not familiar with how DNS works, or what an 'A' record is .vs. other types of records.
The main question is -- How do I get the functionality back of automatically changing the hosts file? I suppose I could add to my script to update the hosts file with the machines I need to access. This will take some work on my part, and I might end up screwing something up. Or maybe I could clone vpn-slice and make local changes to keep the functionality I need, but then I would need to independently build my personal branch each time the upstream repository changed - which adds the possibility of something breaking every time you make a change.
Please advise
##### UPDATE
some of the machine names have short versions and long versions. for instance, when I query using the long name, I get a good answer (note the full name is modified for security reasons)
dig @10.30.64.2 @10.30.64.3 dle_lab_1.full.us
; <<>> DiG 9.16.2 <<>> @10.30.64.2 @10.30.64.3 dle_lab_1.full.us
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16409
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;dle_lab_1.full.us. IN A
;; ANSWER SECTION:
dle_lab_1.full.us. 1200 IN A 10.30.66.66
;; Query time: 16 msec
;; SERVER: 10.30.64.2#53(10.30.64.2)
;; WHEN: Sun May 31 10:37:35 CDT 2020
;; MSG SIZE rcvd: 63
vpn-slice version 0.13 will make the following entry into the hosts file, even though I only asked for the short version of the machine name
10.30.66.66 DLE_LAB_1.full.us DLE_LAB_1 # vpn-slice-tun0 AUTOCREATED
Of course, version 0.14 returns nothing for any machine names, even when I DO ask for the full machine name - ie: 'dle_lab_1.full.us'.
from vpn-slice.
I get that this change broke your setup, and I would like to figure out why and fix it, but the tone in this report is not really helpful or motivational.
Next: The whole point of using vpn-slice was to make this seamless. when you switched to dnspython the seamlessness broke. My question here is why did you switch? What are the benefits?
I wrote this tool initially because it was necessary for me in my previous job, then rewrote a better version in my spare time because I believe in open source software and thought it'd be useful for other people too. (One other user, @gmacon, has also made a very substantial contribution to the code.)
I have no idea how many people use vpn-slice
. I didn't know until now that any Linux distributions package it. I am interested in adding a test suite, but coverage for this kind of issue would be extremely challenging.
For "the switch" that you're asking about, I did it precisely to avoid bugs in DNS lookup; I asked a few of the other contributors and users I know of to test it, and received positive feedback.
Further, I am not familiar with how DNS works, or what an 'A' record is .vs. other types of records.
I am not a mind-reader about your VPN. I knew a lot less about DNS before I started working on vpn-slice
too. I am certainly not an expert now. I had to learn.
from vpn-slice.
some of the machine names have short versions and long versions. for instance, when I query using the long name, I get a good answer (note the full name is modified for security reasons)
Okay, this update is constructive. Thank you. 👍
From your original comment, a query of the "short name" gives no IP address…
First, i executed the dig command above from a terminal (while connected) - I don't really know what the results actually mean - the following is when connected using vpn-slice version 0.13
; <<>> DiG 9.16.2 <<>> @10.30.64.2 @10.30.64.3 DLE_LAB_1
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 37553
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;DLE_LAB_1. IN A;; Query time: 16 msec
;; SERVER: 10.30.64.2#53(10.30.64.2)
;; WHEN: Sun May 31 10:00:22 CDT 2020
;; MSG SIZE rcvd: 38
From the update, a query of the FQDN gives the IP address:
some of the machine names have short versions and long versions. for instance, when I query using the long name, I get a good answer (note the full name is modified for security reasons)
dig @10.30.64.2 @10.30.64.3 dle_lab_1.full.us
dle_lab_1.full.us. 1200 IN A 10.30.66.66
This differences doesn't fully explain what broke though, because v0.14 is intended to ignore such empty responses to a query, just as v0.13 does.
Let me think about how to do additional testing here.
from vpn-slice.
As a temporary workaround… simply putting dle_lab_1.full.us
on your vpn-slice command line (instead of just dle_lab_1
) should make v0.14 continue working.
To debug the problem, try applying this patch on v0.14. It will print a ton of extra details while doing the DNS lookups…
diff --git a/vpn_slice/dnspython.py b/vpn_slice/dnspython.py
index 707abcd..15f2e62 100644
--- a/vpn_slice/dnspython.py
+++ b/vpn_slice/dnspython.py
@@ -1,3 +1,4 @@
+from sys import stderr
from ipaddress import ip_address
from dns.resolver import Resolver, NXDOMAIN, NoAnswer
from dns.name import root, from_text
@@ -31,7 +32,10 @@ class DNSPythonProvider(DNSProvider):
for rectype in self.rectypes:
try:
+ print("Issuing query for hostname %r, rectype %r, source %r, search_domains %r, nameservers %r" % (
+ hostname, rectype, source, self.resolver.search_domains, self.resolver.nameservers), file=stderr)
a = self.resolver.query(hostname, rectype, source=str(source))
+ print("Got results: %r" % list(a), file=stderr)
except (NXDOMAIN, NoAnswer):
pass
else:
from vpn-slice.
Sounds good. I tried to reproduce this on a VPN that I have access to, but cannot.
I imagine there is something slightly different about the semantics of the "search domain" in dnspython
vs. with dig
, but I don't know what it is.
from vpn-slice.
@atrujillofalcon and @TecMunky, this issue may be related to #54
It seems like dnspython
is having some problems handling the replies from certain DNS servers, in a way that dig
didn't have. We're trying to nail down the details in that issue, but I'm still not able to reproduce it myself.
from vpn-slice.
@atrujillofalcon, do you have the same result when you add the FQDN instead of the short name?
e.g. replace srvlrabdes01
→srvlrabdes01.agbar.net
(or whatever the full domain name is) in your command-line of sudo openconnect --protocol=gp dummy.vpn.url -s 'vpn-slice srvlrabdes01 srvlrabint01 srvlrabint02 srvlrabpro01 srvlrabpro02 srvelabpro01 srvelabpro02 algol.agbar.local algolint.agbar.local testvlan.agbar.ga.local cmint.agbar.local gitlab.agbar.net sicabd.agbar.local sicabp.agbar.locall' --dump -vv
.
from vpn-slice.
ALL:
It seems my issue has been overcome by events. My employer is switching from a Cisco VPN to a Sophos VPN. I will need to figure out how to split my dns over openVPN.
from vpn-slice.
So I think I want to re-write this as a stand-alone post-connection script to update the hosts file with the ip address of the machine names (the ones that follow 'vpn-slice' in the command).
Where would I start in the code to figure this out.
thanks.
from vpn-slice.
Where would I start in the code to figure this out.
This is the most intricate part of what vpn-slice
does, because it involves using the DNS servers after connecting to the VPN and manipulating the host files. Try running with --dump -vv
to log more details of what vpn-slice
is doing.
Take a look at these sections of the code, in particular:
https://github.com/dlenski/vpn-slice/blob/master/vpn_slice/posix.py#L69-L91
https://github.com/dlenski/vpn-slice/blob/master/vpn_slice/__main__.py#L216-L251
from vpn-slice.
I am facing the same issue after installing 0.14 where I get:
WARNING: Lookup for [short name] on VPN DNS servers returned nothing.
Two workarounds that I can attest to:
- Full domain name eg. from hrportal to hrportal.google.com
This is somewhat cumbersome since I have a long list. - Downgrade to older version 0.12 (presumably before dnspython)
A quick fix.
Taking this opportunity to say thanks to @dlenski for the great work, I am sure it helped a lot of people during this WFH period.
from vpn-slice.
@crossance Please try the latest version with #55 merged. This fixes #54, which may be related to this issue. I need more users to test or give information before I can be sure that they're actually related.
from vpn-slice.
@crossance Please try the latest version with #55 merged. This fixes #54, which may be related to this issue. I need more users to test or give information before I can be sure that they're actually related.
The latest version did not work for me.
from vpn-slice.
Related Issues (20)
- Eliminate deprecated route cache flushing
- Connect WSL2 with openconnect and vpn-slice, to use windows apps like a pro HOT 1
- Use syscall instead of subprocess HOT 2
- Connect to IP on non http/s ports HOT 3
- current `vpn-slice` fails with `(22, 'Invalid argument')` HOT 6
- vpn-slice fails to install on Fedora 37 HOT 2
- Cannot read/write /etc/hosts with no-ns-hosts option HOT 2
- Please release a new version of the master branch HOT 5
- Split DNS check incorrectly uses ResolveConfSplitDNSProvider on Fedora 37 HOT 7
- vpn-slice==0.16.1 raise PackageNotFoundError(name) HOT 4
- Question (not bug): Kerberos SSO over VPN-Slice HOT 2
- Specifying a route with a non-default port HOT 2
- loading stuck HOT 1
- WARNING: no split dns provider available; can't split dns HOT 1
- Exclude hosts by name HOT 1
- Routes cleanup on disconnect HOT 2
- --dump option causes crash when using one or more host-to-ip aliases
- Split DNS not working when using `--background` flag HOT 6
- hostname args ineffective in background mode on openconnect HOT 12
- New issue with openconnect/vpn-slice due to env change? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vpn-slice.