[Dnsmasq-discuss] VPN DNS prioritization
David Schnur
dnschnur at gmail.com
Sat Jul 11 04:59:17 BST 2009
Thanks for your help; responses inline:
On Fri, Jul 10, 2009 at 10:04 PM, Tom Metro
<tmetro+dnsmasq at gmail.com<tmetro%2Bdnsmasq at gmail.com>
> wrote:
>
> What does "ipconfig /all" report on the Windows machine before and after
> activating the VPN?
>
I ran it with/without VPN and with/without dnsmasq. I can attach all output
if you'd like, but here's a condensed version of dnsmasq + vpn:
Windows IP Configuration
Host Name . . . . . . . . . . . . : myhost
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Peer-Peer
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : mysuffix
Ethernet adapter Wireless Network Connection:
Connection-specific DNS Suffix . : mysuffix
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.2.51
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.2.1
DHCP Server . . . . . . . . . . . : 192.168.2.31
DNS Servers . . . . . . . . . . . : 192.168.2.31
PPP adapter mycompany
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.??
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 192.168.1.??
DNS Servers . . . . . . . . . . . : 192.168.1.??
Without Dnsmasq:
1. No 'DNS Suffix Search List' entry
2. The 'Connection-specific DNS Suffix' is empty
3. Ethernet adapter 'DHCP Server' is 192.168.2.1
4. Ethernet adapter 'DNS Servers' lists the two OpenDNS servers
Aside from that they're identical. When the VPN is disconnected (with or
without dnsmasq), the PPP adapter section disappears; the rest remains the
same.
> Are you sure the private server doesn't resolve the public addresses? If
> so, that would suggest things are somewhat broken for the people within
> company.com's LAN, if they're using the same private server.
>
Sorry, you're right; I was mistaken about that. I must have made a mistake
or typo when trying that.
> Your hack #2 worked because you made the public server unreachable, though
> I'm not entire clear on how you did that, as you seemed to imply there was a
> DNS lookup for the DNS server itself, which is usually something that
> doesn't happen. (Post your relevant Dnsmasq config lines.)
There's a setting (set by default) on VPN connections in Windows where,
according to its label text, if Windows tries to resolve an address using
local DNS, and that fails, it tries again with the VPN DNS. That setting
didn't come into play before, since the VPN DNS was used first.
Once the VPN DNS was no longer first, it would try OpenDNS (via dnsmasq).
But OpenDNS rewrites NXDOMAIN to point to a revenue-generating website. In
dnsmasq.conf, I added:
bogus-nxdomain=208.67.217.132
Then the failures were properly reported as such, causing Windows to retry
using the VPN DNS (or so I understand it, at least).
> Technically, if the VPN is only accessible from one machine on your LAN,
> the Dnsmasq being used by all the machines on your LAN is not the best place
> to inject your fix. You'd be better off applying some fix to the Windows box
> directly.
That is a much better idea, but I haven't yet found anything I can do
locally to mimic the old behavior. It's mostly about one machine in
particular where it's much more convenient if the internal IP is used when
the VPN is connected, and the public IP is used when VPN is not connected.
Thanks again,
David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20090710/9399975c/attachment.htm
More information about the Dnsmasq-discuss
mailing list