Re: [Openvpn-users] split Horizon DNS

[Les M. <les...@gm...>]

Eric S. Johansson wrote:
> 
>> But, I don't think there is a good solution where the VPN connection 
>> is not permanent and you need to alternate access between (say) a 
>> public web service without VPN and private names in the same domain 
>> when the VPN is up.  
> 
> 
> Solution is a simple name lookup proxy. I don't have the hands to write 
> this kind of code anymore but I'm sure there are pieces out there that 
> can be cobbled into shape.  The proxy is injected when the VPN comes up 
> and reinjected every time the DHCP client gets renewed.  The default 
> name servers taken from the DHCP client.  in a very simplified form (and 
> potentially very wrong), the proxy would do something like:
> 
> Accept a query
> look up destination name server based on domain name and if domain name 
> not found, yield default name server.
> proxy query between requester and destination name server.
> 
> I'll have to check to see if Python has a library for handling this.  I 
> might get lucky.

You can't do this on the remote side since it won't have access to the 
original local DNS.  So you'd have to supply a proxy that could run on 
every OS where openvpn runs and figure out a reasonable address/port for 
it - which sounds harder than adjusting the existing server.

>> The simple-minded thing is to put your private addresses in public DNS 
>> so you don't need to worry about the difference between views, but 
>> that's not a good practice security-wise.
> 
>  not to mention what happens when you have the same name inside and out 
> so you can access the same resource identically whether you are inside 
> or out.

If you don't split views, this can't happen.  It is a problem if your 
NAT device doesn't allow access to the outside address from the inside 
interface, though.

-- 
   Les Mikesell
    les...@gm...