Re: Temporarily changing DNS servers and search domains in Tiger
Re: Temporarily changing DNS servers and search domains in Tiger
- Subject: Re: Temporarily changing DNS servers and search domains in Tiger
- From: Allan Nathanson <email@hidden>
- Date: Thu, 2 Jun 2005 00:10:52 -0400
On Jun 1, 2005, at 11:03 PM, Nicholas Riley wrote:
I'm working on a VPN configuration utility which needs to
temporarily change the DNS servers and search domains while the VPN
connection is active (VPN traffic goes over a separate interface).
In Panther, I did this by editing resolv.conf. In Tiger, very few
programs seem to consult resolv.conf.
As in the past, the network configuration agents post information to
the SCDynamicStore (on a per-service basis) which reflects the
requested and derived DNS configuration. A configd plugin,
IPMonitor, collects all of this information and builds a DNS
configuration based on the current state. The change for Tiger is
that we have a new way of passing around the actual DNS configuration
to the resolver code. We left the /etc/resolv.conf file in place to
help any legacy code which looked at its contents but the file is
essentially a read-only copy of the configuration.
When I try to modify the SCDynamicStore
(kSCDynamicStoreDomainState, kSCCompNetwork, kSCCompGlobal,
kSCEntNetDNS), and call SCDynamicStoreNotifyValue for good measure
the changes stick, but nothing happens. If I don't run as root, I
get kSCStatusAccessError when I try to write to it, and if I
retrieve the entry later, it does come back as I stored it, but the
output of scutil --dns (and the resolver behavior) does not change.
Again, the State:/Network/Global/DNS key in the SCDynamicStore
reflects the generated configuration. Changing the value (which you
shouldn't have been doing anyway) won't have any effect.
Ideally I could associate the nameserver and search domain
overrides with the interface, so when the interface goes down, the
values associated with the previous interface are restored.
However, the default route is not going to go through the VPN
interface in most cases (in fact, the nameserver is on the public
Internet), so I don't think it will be considered "primary". The
VPN interface does show up as State:/Network/Interface/<iface>/IPv4
for example, but not in the output of SCNetworkInterfaceCopyAll().
If necessary, I can leave a daemon running to maintain state. (I
tried that too, keeping the connection to the SCDynamicStore open,
but it didn't help.) It is OK if my changes are relatively brittle
- for example, I can use notifications to see if the user does
something like change locations/sets and reinstall my changes or
not, as appropriate if the VPN connection can be reestablished.
What is the right way to do this?
Your VPN configuration agent/tool should publish a network service
with its desired DNS configuration. Having your VPN tunnel become
the primary service is the simplest solution (you'll capture both the
default route and the default resolver configuration). Other options
are also available but they are a bit trickier.
Note: it's best to work with the system/network configuration agents
than to try and change things behind the scenes.
- Allan
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden