VPNs and DNS (was: SSH tunnel question)

Neil Joseph Schelly neil at jenandneil.com
Fri Feb 29 11:25:21 EST 2008 

On Friday 29 February 2008 10:38, Jarod Wilson wrote:
> The only 
> gotcha is that if you have lan-local-dns (i.e., dns records only
> available inside your private network), you probably won't be able to
> access stuff via dns names, without some craftiness (can be done with
> some local nameserver magic though).

I'm forking the conversation to a DNS one.  I'm curious what others have done 
in regards to clean solutions with DNS and VPNs. I run internal-only DNS at 
work.  My setup is that my home servers all use my router (custom-built Linux 
firewall/router/DHCP machine running BIND) to do all DNS lookups.  That 
machine knows to forward requests for my work zones to my work DNS servers 
and it also maintains the OpenVPN connectivity into my work network (as a 
router).  It works, but it's not very portable to others at my company.

OpenVPN on Windows has the ability to utilize Windows' feature for DNS servers 
assigned on a per-network-interface basis.  Logically, having DNS server 
settings specific to a connection interface doesn't make a lot of sense, but 
I have to admit, it (usually) works as expected.  It simplifies things for 
Windows users who log into our network, since they'll (usually) just use the 
work DNS servers when they login.  Our work DNS servers allow full recursive 
lookups.

For Linux/Mac users, I've setup local BIND installations on those client 
machines and set resolv.conf to resolve DNS from localhost.  Those local 
installations forward requests for the work zones to the work DNS servers 
(mimicking my home setup), but they also mean that a client will always be 
his own recursive nameserver.  I have noticed that some public wifi type of 
networks frown on making your own DNS lookups and cause interruptions.

I've also recently played with (though I haven't deployed) the KDE VPN client 
(kvpnc).  I noticed that this will add DHCP-assigned DNS servers from the 
OpenVPN server to the /etc/resolv.conf for the duration of the connection 
(and return your original settings after disconnection).  This could also be 
replicated with the OpenVPN up configuration option.  On the surface, this 
sounds good, but then any programs running would need to be restarted, 
because libc only looks at /etc/resolv.conf once per loading and won't notice 
any changes unless you restart the program using it.

Perhaps someone knows a way to force all applications to reload resolv.conf?  
I've never seen a good solution to that one, but I suppose something may have 
changed in the last few years.

So anyway, I'm curious if others have come up with novel solutions to 
assigning internal-only DNS to VPN users conveniently enough that they don't 
notice.
-N

More information about the gnhlug-discuss mailing list