On Tue 07 Mar 2023 at 17:17:24 (+0100), daven...@tuxfamily.org wrote:
> On 2023-03-07 05:01, David Wright wrote:
> > On Mon 06 Mar 2023 at 13:34:52 (+0100), daven...@tuxfamily.org wrote:
> > > On 2023-03-03 16:00, Max Nikulin wrote:
> > > > On 03/03/2023 13:29, Tim Woodall wrote:
> > > > > On Fri, 3 Mar 2023, Max Nikulin wrote:
> > > > > >
> > > > > > dhclient running for enp2s0f0 should detect that VPN is
> > > > > > active and to avoid overwriting DNS settings that direct
> > > > > > requests to tun0.
> > > > > >
> > > > > The hook can create and delete a file like rhis:
> > > > > tim@dirac:/etc/dhcp (none)$ cat dhclient-enter-hooks.d/nodnsupdate
> > > > > make_resolv_conf() {
> > > > > :
> > > > > }
> > > >
> > > > I agree that VPN script may add and remove dhclient hook or may write
> > > > some file in /run that is read by dhclient hook. They should cooperate
> > > > in some way. In more versatile configuration domain resolution may be
> > > > per-interface. E.g. hosts from the corporate domain are resolved
> > > > through tun0, other sites through enp2s0f0.
> > >
> > > I agree about cooperation. BUT It would be much easier if everything
> > > is resolved through workplace's resolver whenever openconnect is
> > > active.
> >
> > I don't see how your workplace's resolver can resolve addresses on
> > your own LAN.
>
> Well, I meant resolving anything on the Internet + work's private
> network. Not on my LAN
Well, I used the LAN as an example because I know that your workplace
can't resolve it. I'm not party to what your workplace /can/ resolve.
So that's the example you got.
> Granted, I might want to exclude 192.168.0|1.0 from requests sert to
> workplace resolver. But I certainly
> don't to think about each (sub)domain and whether it's should/can be
> resolved by worksplace or
> not
You shouldn't have to. When you connect to your workplace,
it tells openresolv what it can resolve, and openresolv
retains what it knew about resolving on /your/ network
before you connected, rather than letting it be destroyed
by overwriting it. It can also reverse this process upon
disconnection. That's what this extra software is for.
Cheers,
David.
