On Tue, 1 Dec 2015, Randy Barlow wrote:
This sounds overall pretty neat to me! One detail came to my mind: how would this interact with VPN DNS servers? In my experience with VPNs, it's common for them to provide a DNS server that allows internal host resolution to work. Would this local resolver be notified by NM of a new VPN connection so that it knows to use the VPN-provided DNS server for hosts on that particular domain, rather than the usual external records for that same domain?
Yes, this already works in most VPN implementations shipped with Fedora. (libreswan/IPsec, vpnc/IPsec, openvpn, and probably openconnect) For IPsec, that support will be extended for IKEv2 in the future too, see https://datatracker.ietf.org/doc/draft-pauly-ipsecme-split-dns/ The running unbound DNS server will be told to "forward" certain domains to certain IPs of nameservers received during the VPN negotiation. It will remove the forward when the VPN connection goes down. And for those domains, the cache is flushed on each event too, to prevent using stale data that is only used when the VPN is up (or down) Paul -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
