Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Policy Question: DNS resolution of VPN services
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
ribx
Apprentice
Apprentice


Joined: 20 Nov 2003
Posts: 219
Location: germany

PostPosted: Thu Aug 21, 2014 4:30 pm    Post subject: Policy Question: DNS resolution of VPN services Reply with quote

Hi,

I have the following problem: I am connected the whole day to my VPN connection at work. We have several services that are not reachable through the internet directly (for security reasons).

My problem: how should I implement DNS? I can think of 3 possiblities

1. Use an own DNS Server of the company over VPN.
2. Install a local solution like dnsmasq on your computer.
3. a) place all your DNS info of your private network at your DNS Hoster
3. b) redirect all DNS request from your Hoster to your public DNS Server, which returns IPs of the private network of the VPN

Currently we have solution 3b running.

Here the problems:

1. Having a DNS server inside the VPN makes you not only depending on VPN connectivity for browse and use the internet, but also lowers your browsing speed, as this server is not as fast as the ones provided by ISPs. That's not a solution for me.
2. That's too much work and does not work for non linux users (and I don't want to find a different solution for every employee).
3. not working as expected: Some DNS Servers of IPSs ignore DNS anwers with private IPs totally, some only sometimes (?!? I don't know why, but an nslookup fails in 80% of the times with my ISP while Google works always.

Is there another solution? How do you/would you handle this?

Thank you for any hint.

-ribx
_________________
The adopt an unanswered post initiative
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 437

PostPosted: Fri Aug 22, 2014 7:31 am    Post subject: Reply with quote

Unfortunately split tunnels do not work well with split DNS.. If you have no control over the clients, there's really only 2 options: Either full tunnel (and thus all Internet traffic gets routed over the VPN) - which is Option 1, or drop split DNS and allow all server named to be resolved over the Internet (but of course, although the names will be resolvable, they won't be reachable without the VPN) -which is option 3a. Option 1 is unworkable in the presence of multiple VPNs, but option 3a means disclosing private network data on the Internet (however, DNSSec already requires 3a anyway)
.
However, if servers have non-routable (RFC 1918) IPs, even 3a might not work: Some DNS servers (And in particular, dnsmasq, which is part of many consumer routers) refuse to resolve hosts with non-routable IP's to prevent DNS rebinding attacks.
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1717

PostPosted: Sat Aug 23, 2014 9:01 am    Post subject: Reply with quote

What about using company's DNS and caching DNS on your own PC?
You could then route company-related traffic via VPN and send the rest directly to the internet. If tunel breaks, you still have your (fast) cache, and if you try to access some new address it should fail over to some other DNS server you have configured
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13512

PostPosted: Sat Aug 23, 2014 4:06 pm    Post subject: Reply with quote

Use option 1 in conjunction with mount namespaces and possibly network namespaces, so that your VPN-using programs see a VPN-enabled resolv.conf and your non-VPN-using programs see a resolv.conf that uses your ISP. This requires a VPN-using program to always use the VPN-provided nameserver, but otherwise works well.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum