Re: [Openvpn-users] split Horizon DNS

[Les M. <les...@gm...>]

Eric S. Johansson wrote:
>
>> Usually in a public location you don't rely on their local private DNS 
>> at the same time you need access to the tunneled DNS.  I thought we 
>> were talking about a connection between LANs, each with their own 
>> respective private DNS names.
> 
> My local public library has printers I accessed by name.  Local names in 
> public location.  Remember, the unwashed masses are becoming more 
> sophisticated and we are very rapidly.  They tell us how the network 
> should work.  :-)

Windows netbios names that you can use as a bare hostname or do they 
really have a DNS domain?

>> In a simple scenario where you only care about one machine you might 
>> manage by fudging things with an /etc/hosts file that you swap in and 
>> out as needed (or leave in if the names are unique).  Or on a Windows 
>> box you might hook DNS to one LAN and WINS to the other's server.
> 
> that's not really very practical.  The stuff should be flip the switch 
> automatic.in fact, I remember a utility called net switcher back in the 
> days of Windows 95 which did just this.  It flipped around Windows 
> configurations for networking so you can work in different locations.  
> Cool but crude

How hard to you think it is to rename a couple of files?  Make it a 
batch command named for the network where it works.

>>> remember, I'm not saying this is open VPNs problem, only that it's 
>>> configuration revealed a need to think about DNS a different way.  
>>> Without VPNs, we wouldn't have this problem
>>
>> It is a natural consequence of private addressing instead of the 
>> expected hierarchical design.  VPNs are just a way of working around 
>> some of the issues - but you'd see the same thing if you connected up 
>> with private physical circuits instead of virtual ones.
> 
> yes but if we had a bunch of physical circuits or static virtual ones, 
> we can solve the problem through negotiation over what's going to go to 
> a name server because to have a VPN up and running between two 
> organization implies a level of trust. 

The real point is that both IP addressing and DNS naming are supposed to 
be under hierarchal control so there are no conflicts.  When it's every 
LAN for itself you can't expect them to work together sensibly.  You are 
also fairly likely to run into the case where even if you did connect to 
  both private DNS servers you'd be likely to get IP addresses in 
duplicated subnet ranges and not know where to route them.

> An open VPN, there is no trust 
> implied with the local network but still, you may need names or services 
> from that local network and is nothing he can do to the name server on 
> either side to fix this problem.  It has to be fixed on the same machine 
> as you run open VPN.

For windows you can try using netbios locally and dns remotely or vice 
versa.  A hosts file should work for about anything.  Not sure what 
happens under windows if you have multiple DNS servers configured and 
the domain doesn't exist in the first one tried.  I'd expect an 
authoritative 'does not exist' would just fail without trying other servers.

> Okay, if there's no serious proxy advice forthcoming, I'll just drop 
> this.  I will keep telling people there is no solution for split horizon 
> DNS under Windows.

There's no general answer because you'd need to know the private 
domain(s) on each side and how to reach the corresponding nameservers.

-- 
   Les Mikesell
    les...@gm...