Re: DNS server list has strange separator

Fri, 23 Jun 2023 05:14:56 -0700 

Hi Aaron,

My wrong, I have been mixing up two different things:
* search domains, which are typically found in the XML configuration sent by the Fortigate, inside a single XML element, with ';' or "," as the separator: 
  <dns domain='sub1.redacted.com;sub2.redacted.com' />
* name servers, which are typically sent by IP address, *not* by DNS name, and found in distinct XML elements sent by the Fortigate: 
  <dns ip='ns1.redacted.com' /><dns ip='ns2.redacted.com' />
while in your case the server appears to be sending something like this:
  <dns ip='ns1.redacted.com\059ns2.redacted.com' />

Two things are different from what we are used to:
1. the DNS servers are transmitted by DNS name rather than IP address,
2. the DNS servers appear to be defined in the same XML element.

I have opened an issue here:
https://gitlab.com/openconnect/openconnect/-/issues/634
Could you run "openfortivpn -v -v - --dump-http-traffic", extract from the output the XML configuration sent by the Fortigate, and post the (redacted) XML configuration? 

The XML configuration sent by the Fortigate starts with something like this:

<?xml version='1.0' encoding='utf-8'?><sslvpn-tunnel

Dimitri

Le 22/06/2023 à 16:21, Dimitri Papadopoulos a écrit :

Hi,

Note that 59 is the decimal ASCII encoding for ";".
Also, 59 cannot is not an octal number, making the "\059" notation even more awkward.
Therefore I suspect this is a problem with the Fortigate configuration. Using my own corporate VPN, I do not see such a character: 

At some point openconnect reports:
Got search domain intra.xxxx.xxx;extra.xxxx.xxx;saclay.xxxx.xxx;partenaires.xxxx.xxx;xxxx.xxx 

And after connecting, resolvectl reports:

$ resolvectl
Global
        Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub

Link 2 (enp0s31f6)
     Current Scopes: DNS
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported 
Current DNS Server: 8.8.8.8
        DNS Servers: 8.8.8.8 192.168.0.254

Link 3 (tun0)
     Current Scopes: DNS
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported 
Current DNS Server: xxx.xxx.xxx.7
        DNS Servers: xxx.xxx.xxx.7 xxx.xxx.xxx.6
        DNS Domain: xxxx.xxx extra.xxxx.xxx intra.xxxx.xxx partenaires.xxxx.xxx saclay.xxxx.xxx
We could work around this peculiar separator, but human imagination has no limits, so where should we stop? More importantly, how do we know the separator is "\059" and not "\"? I haven't read recent DNS RFCs, but I suspect that "059ns2.redacted.com" is as legit as "ns2.redacted.com" nowadays. 

Let's try a different angle: Does FortiCLient handle this in a better way?

Dimitri

Le 22/06/2023 à 05:02, Aaron Smith a écrit :
Running on Ubuntu 23.04 and connecting to a system Fortinet running version 
4.71.113.194.
After successful connection, the VPN routes and DNS server settings are applied to my system. The DNS server list is correct, but the servers are separate by 
'059' instead of a space character, as displayed by 'resolvectl' below

~/ resolvectl status
Link 2 (enxe04f439490d4) Current Scopes: DNS Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 172.22.11.1 DNS 
Servers: 172.22.11.1 DNS Domain: redacted.net
Link 3 (wlp0s20f3) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS 
-DNSOverTLS DNSSEC=no/unsupported
Link 4 (vpn00449b7858) Current Scopes: none Protocols: -DefaultRoute +LLMNR 
-mDNS -DNSOverTLS DNSSEC=no/unsupported
Link 5 (vpn00fa8f88cb) Current Scopes: none Protocols: -DefaultRoute +LLMNR 
-mDNS -DNSOverTLS DNSSEC=no/unsupported

Link 6 (tun0) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS
-DNSOverTLS DNSSEC=no/unsupported

Link 22 (tun1) Current Scopes: DNS Protocols: +DefaultRoute +LLMNR -mDNS
-DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 10.0.60.2 DNS Servers: 
10.0.60.2 10.0.60.3 DNS Domain: ns1.redacted.com\059ns2.redacted.com

~/ openconnect --version OpenConnect version v9.01-3 Using GnuTLS 3.7.8.
Features present: TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP 
software token, Yubikey OATH, System keys, DTLS, ESP Supported protocols:
anyconnect (default), nc, gp, pulse, f5, fortinet, array Default vpnc-script 
(override with --script): /usr/share/vpnc-scripts/vpnc-script
Global Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported resolv.conf 
mode: stub DNS Domain redacted.com private.net

_______________________________________________
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel




--
Dimitri Papadopoulos
Université Paris-Saclay, CEA, NeuroSpin
91191 Gif-sur-Yvette
France
+33 (0)1 69 08 79 12

_______________________________________________
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel

Reply via email to