Re: [Openvpn-users] split Horizon DNS

[Les M. <les...@gm...>]

Eric S. Johansson wrote:
>
>> You can't do this on the remote side since it won't have access to the 
>> original local DNS. 
> 
> the client (remote) side has access to the local name server because it 
> exists in the local resolve.conf.  This is sufficient information for a 
> default name server address
> 
>> So you'd have to supply a proxy that could run on every OS where 
>> openvpn runs and figure out a reasonable address/port for it - which 
>> sounds harder than adjusting the existing server.
> 
> Well, it's actually less difficult when you consider that someone like 
> me use the VPN in a half a dozen locations such as public access points, 
> libraries etc.  There I can't modify the name server because it's not my 
> job or responsibility.  All I can control is what's local on my system.

Usually in a public location you don't rely on their local private DNS 
at the same time you need access to the tunneled DNS.  I thought we were 
talking about a connection between LANs, each with their own respective 
private DNS names.

In a simple scenario where you only care about one machine you might 
manage by fudging things with an /etc/hosts file that you swap in and 
out as needed (or leave in if the names are unique).  Or on a Windows 
box you might hook DNS to one LAN and WINS to the other's server.

>> If you don't split views, this can't happen.  It is a problem if your 
>> NAT device doesn't allow access to the outside address from the inside 
>> interface, though.
> 
> yes.  If an address translation boundary let you use an external address 
> from the inside, then this problem wouldn't exist.  But it still 
> wouldn't solve the original problem that I have a half a dozen sites 
> that I use open VPN from connecting to three or four networks and I need 
> private names from both sides.
> 
> Right now, for me the difficult part is figuring out how to replace the 
> DHC supplied name server information with the private proxy name server 
> information in resolve.conf every time I get a new lease.  And also 
> invoking the conversion script on initiation of a VPN.
> 
> remember, I'm not saying this is open VPNs problem, only that it's 
> configuration revealed a need to think about DNS a different way.  
> Without VPNs, we wouldn't have this problem

It is a natural consequence of private addressing instead of the 
expected hierarchical design.  VPNs are just a way of working around 
some of the issues - but you'd see the same thing if you connected up 
with private physical circuits instead of virtual ones.

-- 
   Les Mikesell
    les...@gm...