[Dnsmasq-discuss] VPN DNS prioritization

Tom Metro tmetro+dnsmasq at gmail.com
Sat Jul 11 07:24:48 BST 2009


David Schnur wrote:
> There's a setting (set by default) on VPN connections in Windows where, 
> according to its label text, if Windows tries to resolve an address 
> using local DNS, and that fails, it tries again with the VPN DNS.  That 
> setting didn't come into play before, since the VPN DNS was used first.

Ah, OK, that makes sense. It sounds like a hack that would be better 
served by having an explicit rule saying when to use which DNS server, 
but I can see how they'd implement this in an attempt to do the expected 
thing in most cases.

So the questions remains then, why did switching to Dnsmasq impact the 
ordering that DNS servers are tried by this hack?


> Windows IP Configuration
>         Host Name . . . . . . . . . . . . : myhost
>         Primary Dns Suffix  . . . . . . . :
>         DNS Suffix Search List. . . . . . : mysuffix
> 
> Ethernet adapter Wireless Network Connection:
>         Connection-specific DNS Suffix  . : mysuffix
>         DNS Servers . . . . . . . . . . . : 192.168.2.31

No lease information reported? (Is this Windows XP or Vista?)


> PPP adapter mycompany
>         Connection-specific DNS Suffix  . :
>         Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
>         Dhcp Enabled. . . . . . . . . . . : No
>         IP Address. . . . . . . . . . . . : 192.168.1.??
>         Subnet Mask . . . . . . . . . . . : 255.255.255.255
>         Default Gateway . . . . . . . . . : 192.168.1.??
>         DNS Servers . . . . . . . . . . . : 192.168.1.??

Is 192.168.1.?? an attempt to obscure an internal, non-routable address?

Why isn't DHCP enabled for that connection?


> Without Dnsmasq:
> 
> 3.  Ethernet adapter 'DHCP Server' is 192.168.2.1
> 4.  Ethernet adapter 'DNS Servers' lists the two OpenDNS servers

I presume that's the address of your router, and those are the DNS 
servers it is supplying to DHCP clients, so that's as expected.


> 1.  No 'DNS Suffix Search List' entry
> 2.  The 'Connection-specific DNS Suffix' is empty
> 
> Aside from that they're identical.  When the VPN is disconnected (with 
> or without dnsmasq), the PPP adapter section disappears; the rest 
> remains the same.

Normally the suffix has little impact on DNS and only applies when 
looking up unqualified names, but so far this is the best lead. Perhaps 
when it sees any suffix specified, it moves that DNS server up in priority.

You could try statically specifying a suffix for the VPN - to put both 
connections on a level playing field, or you could try tweaking the 
Dnsmasq settings so that it doesn't supply a suffix to the client. Try 
unsetting the domain= option.


>> You'd be better off applying some fix to the Windows box directly.
> 
> That is a much better idea, but I haven't yet found anything I can do 
> locally to mimic the old behavior.

Have you tried specifying the DNS servers statically? List the VPN 
server first, then your LAN server. If the VPN server is unreachable, it 
ought to proceed to your LAN server, though that might result in a delay.

There may be DNS proxies/caches that you can run on the machine locally 
that provide better control.

  -Tom

-- 
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/



More information about the Dnsmasq-discuss mailing list