Only first nameserver is used from /etc/resolv.conf when I use VPN #2884
Comments
|
See the section on We are looking for a better solution for supporting DNS for WSL with VPN connected. Marking this duplicate and closing it out. Hopefully the above workaround unblocks you. |
|
Thanks. So it seems it is a duplicate of #1350, but the workaround doesn't work for me, because I have the same problem as described here: #1350 (comment) |
|
@donaldpipowitch - Got it! We are looking at alternate solutions for DNS resolution within WSL. Hang in there. |
|
Thank you 😊 |
|
@donaldpipowitch Check my comment here #2082 (comment) This is a workaround I'm using for about a month and seem to work quite well. @sunilmut not sure what kind of directions you are exploring, but I would consider using some kind of "built-in" recursor (with caching preferably) to perform the queries across the vpn dns servers and upstream servers. |
|
Use this script #1350 (comment) and set proper adapter order. VPN adapter must be first. |
|
i don't understand why WSL can't just write the entries in |
|
I ran into this n the last few days and it was driving me nuts. The solutions floating around where all WAY too hackish for my tastes. I created a very simple Basically, you can set a lower (== higher priority) InterfaceMetric for your VPN interface as follows (start a powershell as admin): > Get-NetIpInterface # Get a list of interfaces, Note the InterfaceIndex and InterfaceMetric for your VPN adapter
> Set-NetIPInterface -InterfaceIndex 12 -InterfaceMetric 10 # For example, if your VPN adapter has InterfaceIndex 12, we're setting the InterfaceMetric to 10, making sure 10 is lower than whatever you WiFi or Ethernet adapter hasAfter your interface metrics are set a-ok, you can use the script in the script-block below. The top of the script contains a complete explanation for how to use + a few settings (WslDistroName and ResolvConfFile) that need to be correct. # Before attempting to run this script, review and/or follow the
# following steps.
#
# 0. Make sure you can execute powershell scripts. Start Powershell as an
# administrator and execute:
#
# Set-ExecutionPolicy RemoteSigned
#
# 1. Make sure you disable wsl's broken resolv.conf handler.
# Create /etc/wsl.conf with the following 2 lines (without the pound signs):
#
# [network]
# generateResolvConf = false
#
# After that, make sure you issue a wsl.exe --shutdown.
#
# 2. Configure your WSL distro name in $WslDistroName below (do wsl -l to
# see your distro names) and make sure we're pointing at your resolv.conf
# file in $ResolvConfFile. Also make sure we can write to the resolv.conf
# file. I had to set permissions pretty broadly at 666 (chmod 666 /etc/resolv.conf).
#
# 3. Schedule this script with Task Scheduler:
#
# * Click Action –> Create Task…
# * Give your task a name in the General tab
# * Click on the Triggers tab and then click New…
# * In the "Begin the task" menu, choose “On an event.” Then, choose:
#
# Log: Microsoft-Windows-NetworkProfile/Operational
# Source: NetworkProfile
# Event ID: 10000
#
# * Event ID 10000 is logged when you connect to a network. Add another
# one when a disconnect would occur (Event ID 10001):
#
# Log: Microsoft-Windows-NetworkProfile/Operational
# Source: NetworkProfile
# Event ID: 10001
#
# * Go to the Conditions tab. Make sure it runs regardless of AC adapter
# connected/disconnected, peruse the other options there.
#
# * Go to the Actions tab. Add a run script action and then:
#
# Program/script: powershell.exe
# Arguments: -NoProfile -File "c:\where\you\stored\wsl-resolv-handler.ps1"
#
# * Optionally add -WindowStyle Hidden to above Arguments.
$WslDistroName = "Debian"
$ResolvConfFile = [string]::Format("\\wsl$\{0}\etc\resolv.conf", $WslDistroName)
function Convert-To-UnixLineEndings($path) {
$oldBytes = [io.file]::ReadAllBytes($path)
if (!$oldBytes.Length) {
return;
}
[byte[]]$newBytes = @()
[byte[]]::Resize([ref]$newBytes, $oldBytes.Length)
$newLength = 0
for ($i = 0; $i -lt $oldBytes.Length - 1; $i++) {
if (($oldBytes[$i] -eq [byte][char]"`r") -and ($oldBytes[$i + 1] -eq [byte][char]"`n")) {
continue;
}
$newBytes[$newLength++] = $oldBytes[$i]
}
$newBytes[$newLength++] = $oldBytes[$oldBytes.Length - 1]
[byte[]]::Resize([ref]$newBytes, $newLength)
[io.file]::WriteAllBytes($path, $newBytes)
}
Function Pause ($message)
{
# Check if running Powershell ISE
if ($psISE)
{
Add-Type -AssemblyName System.Windows.Forms
[System.Windows.Forms.MessageBox]::Show("$message")
}
else
{
Write-Host "$message" -ForegroundColor Yellow
$host.ui.RawUI.ReadKey("NoEcho,IncludeKeyDown")
}
}
# Discover things and create an $Entries object.
$NetworkInterfaces = Get-NetIPInterface -AddressFamily IPv4 | Where-Object ConnectionState -EQ 'Connected' | Where-Object NlMtu -LT 9001
$DNSServerAddresses = Get-DnsClientServerAddress -AddressFamily IPv4
$DNSClients = Get-DnsClient
$Entries = $NetworkInterfaces | ForEach-Object {
[PSCustomObject]@{
'InterfaceAlias' = $_.InterfaceAlias
'InterfaceIndex' = $_.InterfaceIndex
'InterfaceMetric' = $_.InterfaceMetric
'DNSServerAddresses' = ($DNSServerAddresses | Where-Object InterfaceIndex -EQ $_.InterfaceIndex | Where-Object AddressFamily -EQ 2).ServerAddresses
'DNSSuffixes' = @(($DNSClients | Where-Object InterfaceIndex -EQ $_.InterfaceIndex).ConnectionSpecificSuffix) + @(($DNSClients).ConnectionSpecificSuffixSearchList | Out-Null)
}
} | Sort-Object InterfaceMetric -Unique
# Tell the console what we found.
Write-Output ([string]::Format(" Resolv.conf location: {0}", $ResolvConfFile))
Write-Output ([string]::Format(" DNS servers configured: {0}", ($Entries.DNSServerAddresses -join ",")))
if ($Entries.DNSSuffixes -gt 0) {
Write-Output ([string]::Format("Search suffixes configured: {0}", ($Entries.DNSSuffixes -join ",")))
}
# Writing resolv.conf with things discovered.
$CommentLine = [string]::Format("# Generated by wsl-resolv-handler.ps1.")
Write-Output $CommentLine | Set-Content -Path $ResolvConfFile
if ($Entries.DNSSuffixes -gt 0) {
$SearchLine = [string]::Format("search {0}", ($Entries.DNSSuffixes -join " "))
}
Write-Output $SearchLine | Add-Content -Path $ResolvConfFile
$Entries | ForEach-Object {
$_.DNSServerAddresses | ForEach-Object {
$NameServerLine = [string]::Format("nameserver {0}", $_)
Write-Output $NameServerLine | Add-Content -Path $ResolvConfFile
}
}
# Make sure where UNIXy.
Convert-To-UnixLineEndings $ResolvConfFile
# Tell the console we're done.
Pause "Press any key to continue..."Save the above script as Update: Small fix, script doesn't write an empty |
|
For For example: Is |
That would be correct, yes. You can also test/see this by doing something like
|
|
Thanks, @rubin55, I tried the script and it does indeed update |
|
Hi @NicolasRouquette, the problem that you and many users of Cisco AnyConnect and Pulse Secure are most likely running into has to do with how those VPN clients handle extra lockdown features after establishing a connection to the VPN. The specific feature I'm talking about here is related to locking down access to other networks/subnets after a connection is established (also see here, specifically related to WSL2 with Pulse Secure): the VPN client in your case is configured to do that, which causes WSL2 based environments to be blocked (which is logical, as WSL2 is essentially a HyperV guest, on a different virtual network within your machine). Since it's the client that is causing this (by implementing the security policy configured by the corporate VPN administrators), I would think you have a few options:
Personally, I like WSL1 much better exactly due to these issues. Next to that, I like to see the wsl processes in my regular |
This bug-tracker is monitored by developers and other technical types. We like detail! So please use this form and tell us, concisely but precisely, what's up. Please fill out ALL THE FIELDS!
If you have a feature request, please post to the UserVoice.
If this is a console issue (a problem with layout, rendering, colors, etc.), please post to the console issue tracker.
Important: When reporting BSODs or security issues, DO NOT attach memory dumps, logs, or traces to Github issues. Instead, send dumps/traces to secure@microsoft.com, referencing the GitHub bug number. Ideally, please configure your machine to capture minidumps, repro the issue, and send the minidump from "C:\Windows\minidump".
Your Windows build number: (Type
verat a Windows Command Prompt) Microsoft Windows [Version 10.0.16299.192]What you're doing and what's happening: (Copy&paste specific commands and their output, or include screen shots)
I use WSL Ubuntu and I have a
/etc/resolv.conflike this one:This works with the
resolv.confmentioned above when I'm NOT using VPN:When I use VPN I get:
The same error comes when I use this
resolv.conf:It works when I use this
resolv.conf, but now I can't ping to example.lan anymore:So it looks like only the first nameserver is used when I use VPN.
It works fine from the Powershell or any other non-WSL application with VPN.
some_commandis failing, then runstrace -o some_command.strace -f some_command some_args, and link the contents ofsome_command.stracein a gist here)https://gist.github.com/donaldpipowitch/105b9b2f5802657593d468ae35265739
See our contributing instructions for assistance.
The text was updated successfully, but these errors were encountered: