[Dnsmasq-discuss] VPN DNS prioritization

Tom Metro tmetro+dnsmasq at gmail.com
Sat Jul 11 03:04:33 BST 2009

David Schnur wrote:
> Prior to setting up Dnsmasq, I had DHCP enabled on my router, set up to 
> forward DNS to OpenDNS.  Now, I'm using Dnsmasq DHCP on an OS X 10.5 
> machine...
> I also have a Windows machine that occasionally VPNs into a company 
> network.  Before Dnsmasq, Windows gave priority to the VPN DNS; now it 
> does not.  So server.company.com <http://server.company.com> used to 
> resolve to the correct internal address.  Now, it resolves to the 
> OpenDNS wildcard address.
> What is different about Dnsmasq that would cause Windows to 
> change where it checks first?

I'm guessing what used to happen is that when the VPN became active, 
your DNS settings got "hijacked" and all queries - both public and 
private - were directed to the VPN supplied DNS server.

I'm not sure why that wouldn't continue to happen after switching to 
Dnsmasq as your DHCP server. What does "ipconfig /all" report on the 
Windows machine before and after activating the VPN?

> 1.  Adding a server entry for company.com <http://company.com> in 
> dnsmasq.conf
> The problem with #1 is that there are machines in the company.com 
> <http://company.com> domain with public addresses.  For example, 
> www.company.com <http://www.company.com> does not have an entry in 
> internal DNS. 

Are you sure the private server doesn't resolve the public addresses? If 
so, that would suggest things are somewhat broken for the people within 
company.com's LAN, if they're using the same private server.

DNS resolution doesn't normally operate using a chain of lookups, where 
you keep trying until you get the name resolved. If there are multiple 
servers available, the client is only supposed to try a second one if 
the first one was not reachable. If it returns a response - even a 
response saying that the domains is unknown - that is supposed to end 
the lookup process.

Your hack #2 worked because you made the public server unreachable, 
though I'm not entire clear on how you did that, as you seemed to imply 
there was a DNS lookup for the DNS server itself, which is usually 
something that doesn't happen. (Post your relevant Dnsmasq config lines.)

> Also, vpn.company.com <http://vpn.company.com> no longer 
> resolves, since I'm not actually VPNed in when it needs to be resolved.

If there are only a few specific hosts that need to be resolved, you 
could add Dnsmasq server entries for them that point to a public server. 
I suspect Dnsmasq will pick the most specific matching server entry (but 
I haven't tried it).

Technically, if the VPN is only accessible from one machine on your LAN, 
the Dnsmasq being used by all the machines on your LAN is not the best 
place to inject your fix. You'd be better off applying some fix to the 
Windows box directly.


Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/

More information about the Dnsmasq-discuss mailing list