LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 07-26-2020, 02:39 PM   #1
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,181

Rep: Reputation: 89
access internal domains through VPN without using the internal DNS server


I'm guessing this isn't a very unsual problem sysadmins have had to deal with: a client wants to have access to an internal network and also to its internal resources making use of DNS domains which are available only for that network, but it doesn't want route all its internet traffic through the VPN, and it also doesn't want to use the DNS server provided by the VPN server, so that it can be as independently as possible from the VPN connection, in case there are interruptions.

In our case there's a Sophos router offering VPN through OpenVPN and Linux Desktop clients.
But the fact that it's Sophos is, let's say, a little bit less relevant. I would first like to know how people usually approach this problem. Changing /etc/hosts through scripts dynamically when a client connects to the VPN, for instance? Could that be somehow pushed by the server? Any suggestions?
 
Old 07-26-2020, 02:48 PM   #2
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 23,425

Rep: Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647
Quote:
Originally Posted by vincix View Post
I'm guessing this isn't a very unsual problem sysadmins have had to deal with: a client wants to have access to an internal network and also to its internal resources making use of DNS domains which are available only for that network, but it doesn't want route all its internet traffic through the VPN, and it also doesn't want to use the DNS server provided by the VPN server, so that it can be as independently as possible from the VPN connection, in case there are interruptions.

In our case there's a Sophos router offering VPN through OpenVPN and Linux Desktop clients.
But the fact that it's Sophos is, let's say, a little bit less relevant. I would first like to know how people usually approach this problem. Changing /etc/hosts through scripts dynamically when a client connects to the VPN, for instance? Could that be somehow pushed by the server? Any suggestions?
You want a split-tunnel:
https://openvpn.net/for/split-tunnel...access-server/

And if your client has an internal DNS server (likely), add these to the openvpn server.conf:
Code:
push "dhcp-option DNS <Internal DNS Address>"
push "dhcp-option DNS <External DNS Address>"
push "dhcp-option DOMAIN internaldomain.com"
Internal websites and resources get resolved first, and the local domain is advertised, along with whatever DHCP options you've got set up for your VPN.
 
1 members found this post helpful.
Old 11-10-2020, 09:50 AM   #3
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,181

Original Poster
Rep: Reputation: 89
I've realised there's something that I don't really understand in the setup you've suggested.
I'm not sure how a request is being solved, for a domain for which the internal dns server is not authoritative. It will obviously have forwarders, so what stops it from getting the domain from the authoritative dns server and then answer with the resolved ip (so solving a recursive request - this is on by default in my case, for obvious reasons).
 
Old 11-10-2020, 12:28 PM   #4
computersavvy
Member
 
Registered: Aug 2016
Posts: 728

Rep: Reputation: 226Reputation: 226Reputation: 226
Quote:
Originally Posted by vincix View Post
I've realised there's something that I don't really understand in the setup you've suggested.
I'm not sure how a request is being solved, for a domain for which the internal dns server is not authoritative. It will obviously have forwarders, so what stops it from getting the domain from the authoritative dns server and then answer with the resolved ip (so solving a recursive request - this is on by default in my case, for obvious reasons).
As stated, if it gets the address from one server (internal) it uses that and goes no further. If that fails then it continues searching until all options (including external) are tried.

The sequence is
/etc/hosts
then DNS in the order the servers are specified. The first success ends the search.
Authoritative is not really relevant, just the successful response. One authoritative server could have 1 (or 100) secondary (non-authoritative) servers and they are searched in the order given. The first successful response ends the search.

Since your internal server probably would not be listed as a secondary server it may not get updates, but that is minor because you can give it fixed responses so it does not ask for updates from the authoritative server.

Last edited by computersavvy; 11-10-2020 at 12:40 PM.
 
Old 11-12-2020, 05:02 AM   #5
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,181

Original Poster
Rep: Reputation: 89
I wasn't myself explicit enough in my initial question, so consequently I didn't get the answer that I wanted. Having different DNS servers pushed to the clients and then sending DNS requests in that order is basically the normal behaviour of operating systems generally, I think. So that's not a big deal. What I wanted to do (and I kind of already know this is not possible without yet another self-hosted DNS server) is having only certain domains (internal) resolved by the internal DNS server (accessible through the VPN) and the other DNS server would just be the normal ISP DNS server.

The problem is that, in our case, the internal DNS server resolves domains recursively, so it's always going to give an answer, so under normal circumstances, this is the only DNS which is going to work.
And even if that weren't the case, I think the solution is a sort of compromise, because you're going to get failed requests regularly, which might waste some time. Although I remember seeing a pcap where the requests where sent to several dns server almost concomitantly and the first one that answered was taken into account.

Last edited by vincix; 11-12-2020 at 05:03 AM.
 
Old 11-12-2020, 09:23 AM   #6
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 23,425

Rep: Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647
Quote:
Originally Posted by vincix View Post
I wasn't myself explicit enough in my initial question, so consequently I didn't get the answer that I wanted. Having different DNS servers pushed to the clients and then sending DNS requests in that order is basically the normal behaviour of operating systems generally, I think. So that's not a big deal. What I wanted to do (and I kind of already know this is not possible without yet another self-hosted DNS server) is having only certain domains (internal) resolved by the internal DNS server (accessible through the VPN) and the other DNS server would just be the normal ISP DNS server.

The problem is that, in our case, the internal DNS server resolves domains recursively, so it's always going to give an answer, so under normal circumstances, this is the only DNS which is going to work.
And even if that weren't the case, I think the solution is a sort of compromise, because you're going to get failed requests regularly, which might waste some time. Although I remember seeing a pcap where the requests where sent to several dns server almost concomitantly and the first one that answered was taken into account.
This is exactly what the split-tunnel does, when set up correctly. Anything that's on the VPN 'domain' goes through the VPN; everything else goes to the external interface. Entering google.com into a browser on a device connected to that VPN shouldn't go anywhere, but the external interface. Entering internalsite.business.com will go through VPN/TUN.

If that's not the behavior you're seeing, then either the VPN server isn't allowing this to happen, or the client isn't set up correctly.
 
Old 11-12-2020, 11:01 AM   #7
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,181

Original Poster
Rep: Reputation: 89
Thanks for the new reply. It would be great, it that worked. I haven't yet tested it and first I want to understand the logic of the configuration.
Code:
push "dhcp-option DNS <Internal DNS Address>"
push "dhcp-option DNS <External DNS Address>"
push "dhcp-option DOMAIN internaldomain.com"
How can the OS tell the difference between the internal and the external dns address and where is the association between domain "internaldomain.com" and the internal dns server in the code snippet? That's what I'm still finding difficult to understand. Of course, I've already read the link that you've offered, but I am still unable to infer it.

Last edited by vincix; 11-12-2020 at 11:56 AM.
 
Old 11-12-2020, 11:31 AM   #8
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 23,425

Rep: Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647
Quote:
Originally Posted by vincix View Post
Thanks for the new reply. It would be great, it that worked. I haven't yet tested it and first I want to understand the logic of the configuration.
Code:
push "dhcp-option DNS <Internal DNS Address>"
push "dhcp-option DNS <External DNS Address>"
push "dhcp-option DOMAIN internaldomain.com"
How can the OS tell the difference between the internal and the external dns address and where is the association between domain "internaldomain.com" and the internal dns server in the code snippet? That's what I'm still finding difficult to understand. Of course, I've already read the link that you've offered, but I am still unable to infer it.
There's more to it than the above, but those things can sometimes get you results. What the above does is set your DNS servers to be one on your VPN network, the other external. Naturally, if you have an internal website, it's going to resolve using the internal server first...and get routed. External? It *SHOULD* use the external one, and use the public connection. Again, this depends on the VPN server setup and your further network topology. There are a LOT of tutorials on how to set up split tunneling, and unless you implement them, they obviously won't work...confused when you say "It would be great, it that worked. I haven't yet tested it"....how do you know it doesn't work if you haven't tested it???

You can also add route statments (again, depending on your server config and what it enforces):
Code:
route-nopull
route 1.2.3.4
..where 1.2.3.4 is an internal network. So if you ping an internal website, shove that address in there...same with other internal sites. That gets routed over VPN, others don't. On Linux you should be able to click on the NetworkManager icon, select VPN Connections->Configure VPN->(select your VPN network)->Edit->IPv4 Settings (or IPv6, depending)->Routes->Check 'Use this connection only for resources on its network'.

You don't say what version/distro of Linux you're using, what the VPN server is running on, or what you've done/tried so far. If you want detailed explanations, the openVPN docs/website has it, and there are tutorials you can look up.
 
Old 11-12-2020, 12:05 PM   #9
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,181

Original Poster
Rep: Reputation: 89
The reason why I haven't yet tested it, is because I simply didn't understand the logic, so I wouldn't really know exactly what I should be testing for. I already have a running VPN. So let me be clear again: my client is already set up in such a way, so as not to route the rest of the traffic through the VPN. The issue that I have has nothing to do with normal routing. That works as expected.
I am talking solely about the DNS requests/traffic, that's it.

So given your latest answer, I still think this isn't possible to do it (without an own DNS server running on the client-side or something to that effect), as far as I can see. If the VPN server itself pushes the DNS server (external), then that beats the purpose. I want to be using my ISP DNS server, which has nothing to do with the VPN connection. I'm not sure why you keep referring to the routing.
For example:
google.com --> DNS requests are sent to your own ISP DNS server.
yourcompany.com --> DNS requests are sent to the internal DNS server pushed by the VPN server.

I'm sorry I have to say that it doesn't really make much of a difference what version/linux distro I'm using, if we haven't got passed the theoretical phase I have various possibilities. Mac OS/Ubuntu 18.04/20.04/Windows 10 with a Centos OpenVPN server or an OpenVPN server running on Sophos. It doesn't matter, if it should work in one place, and then there'd be a great chance it will work somewhere else. But that's at later stage.

Last edited by vincix; 11-12-2020 at 02:15 PM.
 
Old 11-12-2020, 02:13 PM   #10
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 23,425

Rep: Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647
Quote:
Originally Posted by vincix View Post
The reason why I haven't yet tested it, is because I simply didn't understand the logic, so I wouldn't really know exactly what I should be testing for.
You monitor the traffic to the VPN site...internal sites go through VPN, external go through your 'regular' interface. That's it.
Quote:
I already have a running VPN. So let me be clear again: my client is already set up in such a way, so as not to route the rest of the traffic through the VPN. The issue that I have has nothing to do with normal routing. That works as expected. I am talking solely about the DNS requests/traffic, that's it.
Right; that is still split-tunnel.
Quote:
So given your latest answer, I still think this isn't possible to do (without an own DNS server running on the client-side or something to that effect). If the VPN server itself pushes the DNS server (external), then that beats the purpose. I want to be using my ISP DNS server, which has nothing to do with the VPN connection. I'm not sure why you keep referring to the routing.
For example:
google.com --> DNS requests are to your own ISP DNS server.
yourcompany.com --> DNS requests are sent to the internal DNS server pushed by the VPN server.
Not sure what's difficult to understand; external requests go to the external DNS server. Internal goes to the INTERNAL (that is ON VPN) DNS server. That's how you route things through two different tunnels...that's what routing IS. Traffic for domain/network XXX goes through interface YYY....everything else goes to ZZZ. Unless you actually define a network route, what do you think will happen?? It all goes through the ONE INTERFACE.
Quote:
I'm sorry I have to say that it doesn't really make much difference what version/linux distro I'm using, if we haven't got passed the theoretical phase I have various possibilities. Mac OS/Ubuntu 18.04/20.04/Windows 10 with a Centos OpenVPN server or an OpenVPN server running on Sophos. It doesn't matter, if it should work in one place, then there's a great change it will work somewhere else. But that's a later stage.
Then if it's all theoretical, your answer remains "use a split tunnel VPN". Been around for YEARS and works exactly as you want, based on what you posted.

Again, very possible to do. Want to know all the details? Then read the openVPN docs. Want to make it work? Then put the correct directives/routing information into the VPN config file on your client, and off you go. HOW you do this depends ENTIRELY on what you're using, since as said you may have options in network manager, and Windows/Mac have totally different places to select such things. Or you may have to edit config files and shove options in...these things are called different things on different systems.

Not sure what you're after here; your question was answered, you were given examples, links to docs, etc., but haven't yet done anything with it. Told you that you need to put routes in for different networks and even where to do it. Not much else to say until you actually do something.

Last edited by TB0ne; 11-12-2020 at 02:38 PM.
 
Old 11-12-2020, 04:28 PM   #11
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,181

Original Poster
Rep: Reputation: 89
I am sorry, I don't mean to be disrespectful, but I still think we're talking about two different things.


split tunnel (not split dns):
As you've inferred yourself from what I said, I am already using split tunnel. So yes, *AFTER* the DNS resolution has been achieved, all public servers (google.com) are directly accessed through my normal internet connection, while all internal networks are accessed through the VPN tunnel. This is done through the routing itself, pushed by the vpn server. On the client side I can choose if I want all the traffic to be routed through the tunnel or just the traffic for the pushed routes. So the routing is great (except for the traffic to the DNS servers), it's already set up, it's exact as I want to it be — I'm using it this way so that I don't burden the vpn server (a pretty common reason).

split dns ("what is difficult to understand" is *what* makes the decision of choosing the correct dns server according to the domain name you type in)
So routing is only layer 3. As it is, I don't think there is any way for the operating system to choose a *certain* DNS server (which is a layer 7 decision) depending on the domain name you're typing in your browser. Linux, for instance, is going to start with the first DNS server, then with the second and so on, REGARDLESS of the domain you type in your browser (the browser is obviously just a random example, but also at hand). I haven't seen any options related to that in the openvpn documentation, except for dhcp-options dns, domain or whatever, and the only documentation you were pointing to was a very broad description of what split-tunneling means (which I have read, but says nothing specifically about the DNS). I would be happy to see any relevant documentation in that respect. I have looked it up, as you can imagine — but please don't say that despite the documentation you've given, I'm not moving forward


So I'm not sure how you've configured your vpn services, but I am suspecting you're making a confusion and you think it works in a way that it actually doesn't, but the result is eventually the same. Otherwise, I don't get it. I'm now in the silly position of having to convince you that there is no answer to my question, or not in that direction, anyway

So a few points:
1. If your VPN server pushes the information related to your external DNS — as you've suggested — then that's already over, because it defeats the purpose. The VPN server cannot have any idea what IP the DNS server of my provider is.

2. The decision which DNS server you choose depending on the domain you're forwarding traffic to can only be made by a dns server/some kind of dns service (maybe dnsmasque or systemd-resolve can solve this issue on the client-side — only now did it cross my mind — they might have been created it also with that in mind, but that's not strictly related to the openvpn configuration and you haven't mentioned that, anyway). That decision cannot be done by the browsers or whatever application. The OS is just going to use the first dns server it sees and that's that.

3. If the DNS server pushed by vpn server only works for the internal domains, then the end result would seem to be what I need - the problem is that it sends useless requests to the vpn dns server and when it sees that it doesn't know the answer (assuming it doesn't support recursive requests), then the OS is going to go on and ask the second dns server.

Just a few links on the internet where they say this cannot be done through openvpn itself only:
https://serverfault.com/questions/78...g-dns-priority
https://serverfault.com/questions/10...dns-on-openvpn
https://www.reddit.com/r/OpenVPN/com...lit_dns_setup/


Here I'm kind of finding a possible solution:
https://briantward.github.io/split-d...local-dnsmasq/
This is similar to the scenario I'm talking about. I'm not sure how more explicit I can be, but dns forwarding is very different from just routing, which is simple to solve


Here another mention of how systemd-resolve could address that:
https://fedoramagazine.org/systemd-r...-to-split-dns/
(I still don't know how systemd-resolve actually work, so I might need to have a better look into that)

Last edited by vincix; 11-12-2020 at 04:33 PM.
 
Old 11-12-2020, 04:47 PM   #12
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 23,425

Rep: Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647
Ok, good luck.
 
1 members found this post helpful.
Old 11-12-2020, 06:06 PM   #13
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,181

Original Poster
Rep: Reputation: 89
No, I get it, you've been splitting DNS just by tinkering with the openvpn configuration for YEARS, but you haven't offered any proof at all — I'm not even saying (anymore) that it's not possible — (and you're presuming that you've offered plenty of documentation - which is the internet, basically, very helpful indeed! So what's the point of forums then if everything is already on the internet?) and I suppose they've come up with systemd-resolve (which is pretty new, at least running as a daemon), because the solution was already there! - because you've been doing exactly that for YEARS.


So, for anyone who's not in the mood for half-baked answers, here is a (still half-baked, but actually specific and relevant) solution using systemd-resolve, just as a proof of concept as to how you can solve that on the client-side.

(On Ubuntu 20.04)
systemd-resolve is a stub-resolver, which means it basically just forwards DNS requests to a DNS server it's associated with. There is an interesting distinction between seaching domains and routing domains (again, very useful documentation here: https://fedoramagazine.org/systemd-r...-to-split-dns/). Searching domains are basically the suffixes added to a non-fqdn, but they can be associated with a certain interface, whereas routing domains are the domains and their subdomains which also can be associated to an interface. ~ is prepended to the routing domains!

So the problem that I have with OpenVPN is that, if I use DNS automatic on my GUI openvpn client, this is what I get:

Code:
oot@ubuntu1:~# resolvectl dns
Global:
Link 9 (tun0): 192.168.55.13 192.168.55.14
Link 3 (docker0):
Link 2 (enp0s5): 10.200.55.1
root@ubuntu1:~# resolvectl domain
Global:
Link 9 (tun0): ~. mycompany.local
Link 3 (docker0):
Link 2 (enp0s5): localdomain
~. is like a default route/gateway of last restort for domains. Any domain request which is not matched by other domains specified there (in my case mycompany.local, localdomain) is going to be sent on the corresponding interface (in my case tun0). Of course, I don't want to send all dns requests through the vpn tunnel, so I have to remove the association to tun0.

Code:
root@ubuntu1:~# systemd-resolve --interface=tun0 --set-domain=mycompany.local && systemd-resolve --interface=enp0s5 --set-domain=~
root@ubuntu1:~# resolvectl dns
Global:
Link 9 (tun0): 192.168.55.13 192.168.55.14
Link 3 (docker0):
Link 2 (enp0s5): 10.200.55.1
root@ubuntu1:~# resolvectl domain
Global:
Link 9 (tun0): mycompany.local
Link 3 (docker0):
Link 2 (enp0s5): ~.
tcpdumps confirms that all requests of mycompany.local and its subdomains go through the tun0 dns server, whereas the rest through the enp0s5 interface.

I'll have to figure out how the ~ can be kept to the default internet-facing interface and how can I also tinker further with some settings on the server-side.

Last edited by vincix; 11-12-2020 at 06:22 PM.
 
Old 11-13-2020, 09:15 AM   #14
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 23,425

Rep: Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647Reputation: 6647
Quote:
Originally Posted by vincix View Post
No, I get it, you've been splitting DNS just by tinkering with the openvpn configuration for YEARS, but you haven't offered any proof at all
You are obviously not understanding what a split-tunnel is, have read anything about how to achieve it, or paid attention to what you've been told. And since (your words) this is "theoretical", how exactly do you expect ANYONE to give you anything concrete?

AGAIN, SOME VPN servers are going to impose their rules; some don't, and this depends on their config. You claim it should work no matter what...that is wrong. Your client can control things if the server allows. You were given the rules to do this.
Quote:
I'm not even saying (anymore) that it's not possible (and you're presuming that you've offered plenty of documentation - which is the internet, basically, very helpful indeed! So what's the point of forums then if everything is already on the internet?) and I suppose they've come up with systemd-resolve (which is pretty new, at least running as a daemon), because the solution was already there! - because you've been doing exactly that for YEARS.
Yes, I have...except I paid attention and read the OpenVPN docs. And I applied the routing rules and other things mentioned correctly to route traffic for a domain/network through VPN, while other traffic goes out the Internet connection....EXACTLY what you want. Has zero to do with systemd-resolve, and EVERYTHING to do with the openVPN config.

There is a lot of information on the Internet, but if you aren't going to bother to read it or can't understand it, there's not much else anyone can help you with.
Quote:
So, for anyone who's not in the mood for half-baked answers, here is a (still half-baked, but actually specific and relevant) solution using systemd-resolve, just as a proof of concept as to how you can solve that on the client-side.

(On Ubuntu 20.04)
systemd-resolve is a stub-resolver, which means it basically just forwards DNS requests to a DNS server it's associated with. There is an interesting distinction between seaching domains and routing domains (again, very useful documentation here: https://fedoramagazine.org/systemd-r...-to-split-dns/). Searching domains are basically the suffixes added to a non-fqdn, but they can be associated with a certain interface, whereas routing domains are the domains and their subdomains which also can be associated to an interface. ~ is prepended to the routing domains!

So the problem that I have with OpenVPN is that, if I use DNS automatic on my GUI openvpn client, this is what I get:
<SNIP>
I'll have to figure out how the ~ can be kept to the default internet-facing interface and how can I also tinker further with some settings on the server-side.
Congratulations; you spent all that time being snotty and insulting to someone who was trying to help you, only to post an article that has a screen shot OF WHAT I MENTIONED BEFORE. Specifically, the "Use this connection only for resources on this network" checkbox, and the place to enter a VPN specific DNS server.

What exactly do you think would happen if you specified 8.8.8.8,8.8.4.4 on your primary connection, then your INTERNAL DNS server on your VPN connection???? And then think about what would happen if you enter an internal website...it would try the first two, THEN THE TERTIARY...which would FIND IT and open it. There is your 'split dns', right??? And letting network manager do this would route traffic ONLY for your company over the VPN....again, EXACTLY WHAT YOU ARE AFTER, and has been done since at least 2009.

Again, you aren't actually DOING anything yet, so how you manage all this depends on what you're using. Doing it from CLI is different than through network manager, and the options/boxes are in different places depending on your OS, desktop, etc. Or do you think that Mac looks the same as Windows and is the same as all the Linux GUI's???

Want better than a 'half baked' answer?? Ask more than a 'half baked' question with actual details. Should have know better than to try to help you.
 
Old 11-13-2020, 11:59 AM   #15
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,181

Original Poster
Rep: Reputation: 89
You've helped only to the extent to which I was driven to search deeper and find an answer.

I still think you don't know how DNS works (or you simply refuse to talk about it, I don't know:-)), otherwise you wouldn't ignore the core problem related to the DNS traffic and you wouldn't say that it works just through OpenVPN configuration without some additional special configuration. Previously I asked at least two network experts about this issue and they said it cannot be done (apart from the results I had found on the internet), which is paradoxically a proper answer, because they do know how networking works. One of them did suggest a intermediate local DNS server, like powerDNS. But in the meantime I've found out that systemd-resolve solves this much more elegantly because it is basically a dns-server itself, and this is how the forwarding of the DNS requests works, because initially you send all the requests to systemd-resolve, and it in turn chooses the proper real DNS server (I know I'm saying it for the fourth time maybe, but I don't know why the message doesn't get across) depending on the domain name you type in your browser or wherever. If systemd-resolve (or dnsmasque, or powerdns or unbound or whatever) doesn't fill this role, then who does in a "classical" example? I cannot believe that the OpenVPN client has such a mechanism, but would I love to be proved wrong. I believe that OpenVPN only offers the necessary information that can be used in turn by a service such as a stub resolver. That's exactly the theoretical part, the stub dns resolver, that you haven't addressed.

While I was speaking about split-DNS you were talking about the OpenVPN server pushing the external server to the client! How in the world would the OpenVPN server know what the DNS server of my provider is, for hundreds of clients maybe and for dozens of different locations/ISPs? How is that helpful or how does this show knowledge on your side? Then you insisted on the pure (non-DNS) routing part, and showed me how routes can ge pushed and how you can test that with ping. Again, a very different problem!

I am not bothered by the fact that there are things you don't know, but by your presuming to know them while aggressively stating that you're helping, when you're not. Pointing to OpenVPN documentation and giving one generic link, while saying I've already been given links (several!) doesn't help. Again, that's what forums are for, to get some sort of guidance. That boils down to arrogance, as far as I'm concerned, and not much else. I obviously appreciate people helping and I even appreciate your help in the past, but this isn't the way do it, I'm sorry to say that (unless, of course, you were trying to make me find the solution independently by using some kind of reverse psychology, which was kind of successful!)


I read again this paragraph:
Quote:
What exactly do you think would happen if you specified 8.8.8.8,8.8.4.4 on your primary connection, then your INTERNAL DNS server on your VPN connection???? And then think about what would happen if you enter an internal website...it would try the first two, THEN THE TERTIARY...which would FIND IT and open it. There is your 'split dns', right???
No, I'm sorry, this isn't split-DNS. This is crap. I'm talking about contacting the correct DNS server from the very beginning! systemd-resolve(!!!) achieves this.

A nice counter-example: how could that work properly if there's a public authoritative DNS server for mycompany.com, but I've got a solely internally available subdomain sub.mycompany.com advertised only by the internal DNS server? I'll tell you how: it wouldn't, because the authoritative public DNS server is going to say I am authoritative and there's no such subdomain for this domain. And that's a final answer. Who else are you going to trust if not the DNS server which has the zone?

Last edited by vincix; 11-13-2020 at 12:32 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Having an internal DNS and an external DNS (for VPN use) DaveQB Linux - Laptop and Netbook 3 09-05-2011 01:17 AM
Multiple emails accounts(with different from domains) on multiple domains on 1 server locoputo Linux - Server 0 04-12-2009 07:29 PM
Multiple domains in LDAP and 1 samba server for all domains, what to do? xnomad Linux - Server 1 11-14-2008 10:12 AM
Win2k3 DNS + PFsense DNS Forwarder = No internal DNS resolution Panopticon Linux - Networking 1 11-19-2007 10:59 PM
Sub Domains & Multiple Domains (Apache) lugos Linux - Server 1 09-01-2006 11:22 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 04:55 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration