Hello,
I'm using openconnect (built from
git://git.infradead.org/users/dwmw2/openconnect.git) on an Arch Linux
machine to establish a connection to a Juniper Pulse Connect Secure
VPN server. I'm invoking openconnect like so:
openconnect --juniper -C "DSID=<cookie>" --cafile <cert> <server>
If I dump HTTP authentication traffic (--dump-http-traffic) I see DNS
search domain info being returned similar to:
Received DNS search domain company.com, subdomain1.company.com,
subdomain2.company.com
vnpc-script uses the following logic to add this information to resolv.conf:
# === resolv.conf handling via /usr/sbin/resolvconf (Debian,
Ubuntu, Gentoo)) =========
modify_resolvconf_manager() {
NEW_RESOLVCONF=""
for i in $INTERNAL_IP4_DNS; do
NEW_RESOLVCONF="$NEW_RESOLVCONF nameserver $i"
done
if [ -n "$CISCO_DEF_DOMAIN" ]; then
NEW_RESOLVCONF="$NEW_RESOLVCONF domain $CISCO_DEF_DOMAIN"
fi
echo "$NEW_RESOLVCONF" | /usr/sbin/resolvconf -a $TUNDEV
}
This ultimately leaves me with a resolv.conf that looks something like:
# Generated by resolvconf
domain company.com subdomain1.company.com subdomain2.company.com
search company.com subdomain1.company.com subdomain2.company.com home
nameserver <IPV4 nameserver 1>
nameserver <IPV4 nameserver 2>
nameserver <IPV4 nameserver 3>
Having multiple "domain" entries is illegal by my reading of the
resolv.conf man page, and indeed I'm unable to resolve domain names
until I edit resolv.conf by hand and change the first line to "domain
comany.com". What is the correct behavior in the case where multiple
DNS search domains are returned by the server? Should vpnc-script be
prefixing the domain list with the "search" keyword, rather than
"domain" ?
Thanks,
Chris
