On Nov 12, 2020, at 07:59, Petr Menšík <[email protected]> wrote: > > Hello DNS experts, Hi Paul, > > I am looking for correct way to autoconfigure split DNS. By that, I mean > something that dnssec-trigger prepares, when I connect to our enterprise > VPN. It keeps most of queries to original connection servers provided.
That is exactly what RFC 8598 does for IKEv2/IPsec. This is supported by libreswan and supports a local unbound. For the next version of libreswan we will add support for NM. systemd-resolved, knot, resolvconf (Debian) I submitted build for openvpn with unbound support but those changes got lost over time. > But for special internal domains, it redirects queries on local running > unbound server to addresses provided by VPN connection. Similar way > behaves systemd-resolved and dnsmasq configured by Network Manager. I don’t quite understand what you are saying here? > I think they use DHCP option 119 [1], which was originally used for > different thing. It is already used and can be used as a hint. But its > purpose is to search relative names. I found only explicit configuration > for IKEv2 [2], which provides required information. DHCP options are only useful for non-VPN connections. There has been talk about putting the RFC 8598 options into a dhcp option but people connecting to enterprise wired/wireless don’t have a split dns normally. Either you (have to) trust the network or you fully distrust it (and want dot/doh to an external party) > Am I missing standard way to pass internal domains on VPN connections > for different types? Is there any best practice or recommendation how to > configure it in general? openvpn surely has something but as I said, patches were lost. WireGuard will invent something homegrown once they have their userland daemon (WG-dynamic). We can’t really standardize openvpn/WireGuard. > Is it so uncommon to have split horizon setup with internal connection? > I hope I don't know just correct terminology, could you help with that? > Is there DHCP option 119 alternative, which means list of internal > domains without additional search hints? Is there other way to configure it? For IETF standard VPN protocol, we have the solution, and it is implemented. I can give you a certificate for VPN.nohats.ca to test. Note it does do fallback to re-using the list of dns domains as search domains in resolv.conf if it doesn’t find a locally running dns server. Paul _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
