scutil --dns and Network Preferences not matching up
I have a wireguard tunnel that I am configuring via wg-quick on macOS; my client-side config looks something like:
$ cat /usr/local/etc/wireguard/wg0.conf
[Interface]
PrivateKey = <snip>
# The address of this client
Address = fd37:5040::0002/64
# The address of my DNS server within the Wireguard VPN
DNS = fd37:5040::0001/64
[Peer]
PublicKey = <snip>
# Allow all traffic from the VPN subnet to flow from this peer
AllowedIPs = fd37:5040::/64
# Externally-visible endpoint
Endpoint = tunnel.mydomain.com:51820
PersistentKeepalive = 45
When I run wg-quick up, I get output like the following:
INFO: (utun4) 2019/06/05 11:48:38 Starting wireguard-go version 0.0.20190409
[+] Interface for wg0 is utun4
[#] wg setconf utun4 /dev/fd/63
[#] ifconfig utun4 inet6 fd37:5040::0002/64 alias
[#] ifconfig utun4 up
[#] networksetup -getdnsservers USB 10/100/1000 LAN
[#] networksetup -getdnsservers iPad USB
[#] networksetup -getdnsservers Wi-Fi
[#] networksetup -getdnsservers iPhone USB
[#] networksetup -getdnsservers Bluetooth PAN
[#] networksetup -getdnsservers Thunderbolt Bridge
[#] networksetup -getdnsservers wg0
[#] networksetup -setdnsservers Bluetooth PAN fd37:5040::0001
[#] networksetup -setdnsservers wg0 fd37:5040::0001
[#] networksetup -setdnsservers iPhone USB fd37:5040::0001
[#] networksetup -setdnsservers Wi-Fi fd37:5040::0001
[#] networksetup -setdnsservers USB 10/100/1000 LAN fd37:5040::0001
[#] networksetup -setdnsservers Thunderbolt Bridge fd37:5040::0001
[#] networksetup -setdnsservers iPad USB fd37:5040::0001
[+] Backgrounding route monitor
This all looks good and works just fine on most networks, however in the event that I have no publicly-routable ipv6 addresses, it appears that macOS silently drops the ipv6 DNS entry. Looking at the DNS settings in Network Preferences, I see my DNS server listed there, however asking scutil, I see nothing of the kind:
$ scutil --dns
DNS configuration
resolver #1
search domain[0] : home
nameserver[0] : 208.67.222.222
nameserver[1] : 208.67.220.220
if_index : 10 (en0)
flags : Request A records
reach : 0x00000002 (Reachable)
resolver #2
domain : local
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300000
resolver #3
domain : 254.169.in-addr.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300200
resolver #4
domain : 8.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300400
resolver #5
domain : 9.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300600
resolver #6
domain : a.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300800
resolver #7
domain : b.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 301000
DNS configuration (for scoped queries)
resolver #1
search domain[0] : home
nameserver[0] : 208.67.222.222
nameserver[1] : 208.67.220.220
if_index : 10 (en0)
flags : Scoped, Request A records
reach : 0x00000002 (Reachable)
resolver #2
nameserver[0] : fd00:976a::9
if_index : 19 (ipsec0)
flags : Scoped, Request AAAA records
reach : 0x00000002 (Reachable)
No amount of networksetup -setdnsservers seems to change this, and editing things in the Network Preferences pane shows that any ipv4 addresses I enter work, but ipv6 addresses get stripped out. How can I convince macOS to allow me to use these private ipv6 addresses to reach a DNS server located within my wireguard tunnel when there is no interface with a publicly-routable ipv6 address?
staticfloat0 Answers
Nobody has answered this question yet.
User contributions licensed under CC BY-SA 3.0