Menu
▾
▴
Re: [Openvpn-users] split Horizon DNS
|
From: Jan J. K. <ja...@ni...> - 2009-08-03 21:26:31
|
hi Joseph, Joseph L. Casale wrote: >> However this depends on the remote DNS server having access to the >> tunnel which often won't be the case since it is likely to be embedded >> in a NAT router or in a DMZ subnet and not running the tunnel. But, I >> don't think there is a good solution where the VPN connection is not >> permanent and you need to alternate access between (say) a public web >> service without VPN and private names in the same domain when the VPN is >> up. >> > > In my case the AD dns name is private, example.local where the companies > external dns name is example.com. So the clients local dns being provided > by either a small router/isp or like my home, a BIND dns server will never > answer queries to the invalid domain example.local. > > I also am pretty sure that the Cisco client did something specific wrt to > the dns config that wasn't just as trivial as adding a secondary nameserver: > > http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htspldns.html > The cisco link explains it pretty well, however: the PIX-client (or Cisco IOS box in general) includes a DNS proxying server ; this DNS proxy can talk to multiple DNS servers and can forward the queries to the appropriate server (i.e. local, over VPN link, over external link, etc). LAN clients in figure 1a in the link above don't know or care what kind of box they're talking to: the DNS server runs on the cisco split-horizon-aware box and takes care of the rest. If you were to replace a PIX *client* with an OpenVPN client appliance then you could do exactly the same: install an open soure equivalent of a DNS proxying server, or abuse dnsmasq. The LAN clients would still query the same DNS server and get the appropriate results back. However, what Eric seems to be seeking is a (generic?) solution to have *each* openvpn client use split-DNS: that would require a split-horizon-aware DNS client for each operating system that he runs the openvpn client on. For Linux/*BSD it would certainly be possible. For Windows? that will be a lot harder to find, I'm afraid... cheers, JJK |
