Hi Ken, > Not sure if keeping the current DNS servers installed is the best > approach, maybe we should remove the previous servers. But we > currently just add them to have them as a fallback.
I've pushed a new build [1] based on 5.3.0-rc1 that instead of appending the servers to the list, it replaces the default servers and also restores them. This probably gives a somewhat more predictable behavior, but of course disables any fallback for DNS queries. Unfortunately, that does not seem to resolve all issues. Some applications (Google Chrome) resolve DNS names just fine over the configured servers, others (Safari) don't use them. Not sure how we can trick all applications to use these servers. /etc/resolv.conf, by the way, does not seem to get updated at all anymore. The file has been touched the last time Oct 17th, which exactly correlates to the time Yosemite has been installed. Most likely all C library calls rely on System Configuration these days? > Out of curiosity, why is the DNS server added to the PrimaryService > store State:/Network/Service/97E8D482-1E2D-4743-B18D-FCA53A7151A7/DNS > instead of State:/Network/Global/DNS AFAICS, DNS servers get configured on the interface (service), and if that is active get propagated to the global configuration. > where the System Preferences->Network configured servers are stored? To me it more looks like you configure DNS servers for each interface. The servers of the active/primary interface then get used. While we install an utun device to forward traffic over libipsec, that interface does not have a "service" in the sense of System Configuration. We therefore assign DNS servers to the primary service, which is for your physical interface. Possible that this doesn't work that well anymore... > Also, is there any way to associate a search domain with the DNS server > sent by the VPN gateway? No. IKEv2 does actually not support negotiating search domains for DNS servers, and a manual/local configuration is currently not implemented. > I would like to use EAP-GTC authentication with the Mac app and would > be willing to modify the app to add this feature. The new build additionally comes with the eap-gtc plugin. Regards Martin [1]http://download.strongswan.org/osx/strongswan-5.3.0-1.app.zip _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
