Re: [Openvpn-users] split Horizon DNS

[Eric S. J. <es...@ha...>]

Les Mikesell wrote:

> Windows netbios names that you can use as a bare hostname or do they 
> really have a DNS domain?

I've made DNS work without too much trouble
> 

> How hard to you think it is to rename a couple of files?  Make it a 
> batch command named for the network where it works.

it's not just a couple files.  Its user interface, how I control for the desktop 
auto edit it, how I maintain it out of way associated with a VPN invocation and 
make it go away and it's not.  How I refresh the contents of these files with 
the DNS name server?  How often do I refresh them especially if DNS is populated 
by DHCP clients?

it's really not a simple problem from this perspective.

> The real point is that both IP addressing and DNS naming are supposed to 
> be under hierarchal control so there are no conflicts.  When it's every 
> LAN for itself you can't expect them to work together sensibly.  You are 
> also fairly likely to run into the case where even if you did connect to 
>  both private DNS servers you'd be likely to get IP addresses in 
> duplicated subnet ranges and not know where to route them.h

and here lies the crux of the conflict.  Networks and their namespace are no 
longer hierarchical.  They are graphs.  It's the future and nothing is going to 
change it back.  Search order determines which addresses returned and search 
order should be something the end user can modify on-the-fly either by command 
or arbitrary name modification.

> For windows you can try using netbios locally and dns remotely or vice 
> versa.  A hosts file should work for about anything.  Not sure what 
> happens under windows if you have multiple DNS servers configured and 
> the domain doesn't exist in the first one tried.  I'd expect an 
> authoritative 'does not exist' would just fail without trying other 
> servers.

That's exactly right.  It's the nxdomain that causes the search to stop which is 
why parallel requests are interesting search strategy for returning first 
found/highest priority names.

> There's no general answer because you'd need to know the private 
> domain(s) on each side and how to reach the corresponding nameservers.

you have the information you need.  You just need to be a little more flexible 
in how to use it.  You get the name server information via your open VPN DHCP 
request.  You also have name server information from the equivalent of 
resolv.conf.  When you have all the name servers lined up in the right order, do 
a parallel search on all name servers listed.  If you get more than one result 
then you return the first in order of listing address.  Yes, this is a resolver 
wrapper and I don't know how to do it but I believe it can be done either 
internally or externally through a DNS proxy.