Re: [Openvpn-users] split Horizon DNS

[Les M. <les...@gm...>]

Joseph L. Casale wrote:
>> If I didn't it clearly before, I'll say it now.  I'm not the only one.  I've had
>> this problem at every single client site where I have used open VPN in the past
>> eight years.  The vast majority of time it didn't show up because end-users were
>> just people working from their home network and therefore the office DNS could
>> provide all of their Internet DNS related needs.  I'm finding more and more
>> technically astute people having local networks at home with miniature DNS
>> setups.  I find out about it when they call me saying "when open VPN is running,
>> why can't I access any of my machines at home?"
> 
> I'm also following this thread with interest as I lurk before my first setup with OpenVPN.
> In my PIX that I am replacing, it's called Split-DNS and is obviously intrinsic to the
> function of the VPN. All of my needs revolve around remote users getting RDP access
> to their wkst's as we don't allow file sharing through the vpn and most of the files
> they open are prohibitively large files anyway.
> 
> My users are trained to connect to the FQDN of their dynamically assigned wkst's which
> makes my administrative job easy. The cisco split-dns has the search domain setup that
> *.example.com goes across the tunnel. Simple...

This solves the opposite problem by essentially NATting the DNS answers 
from the internal server depending on which side you are on.   The 
problem that needs to be solved is where someone outside has their own 
similar private/local DNS that they need to access for their own LAN 
functionality while also having VPN access to the other network.  In 
this case they will have their own DNS server configured that will most 
likely see the 'public' view of the other network even though they have 
VPN access.  If you substitute the other network's DNS server, they will 
lose access to their local resources like printers and file services.

> I hope you figure this out, if so please post back!

For a permanent tunnel, a workable approach is to configure the remote 
DNS server as a secondary for the zone(s) that need the private view 
from the VPN connection, or to use a forwarder for those zones. 
However this depends on the remote DNS server having access to the 
tunnel which often won't be the case since it is likely to be embedded 
in a NAT router or in a DMZ subnet and not running the tunnel.  But, I 
don't think there is a good solution where the VPN connection is not 
permanent and you need to alternate access between (say) a public web 
service without VPN and private names in the same domain when the VPN is 
up.  The simple-minded thing is to put your private addresses in public 
DNS so you don't need to worry about the difference between views, but 
that's not a good practice security-wise.

-- 
   Les Mikesell
     les...@gm...