Re: [Openvpn-users] split Horizon DNS

[Eric S. J. <es...@ha...>]

Les Mikesell wrote:

> But, I 
> don't think there is a good solution where the VPN connection is not 
> permanent and you need to alternate access between (say) a public web 
> service without VPN and private names in the same domain when the VPN is 
> up.  


Solution is a simple name lookup proxy. I don't have the hands to write this 
kind of code anymore but I'm sure there are pieces out there that can be cobbled 
into shape.  The proxy is injected when the VPN comes up and reinjected every 
time the DHCP client gets renewed.  The default name servers taken from the DHCP 
client.  in a very simplified form (and potentially very wrong), the proxy would 
do something like:

Accept a query
look up destination name server based on domain name and if domain name not 
found, yield default name server.
proxy query between requester and destination name server.

I'll have to check to see if Python has a library for handling this.  I might 
get lucky.

> The simple-minded thing is to put your private addresses in public 
> DNS so you don't need to worry about the difference between views, but 
> that's not a good practice security-wise.

  not to mention what happens when you have the same name inside and out so you 
can access the same resource identically whether you are inside or out.