So this is a workaround for windows DNS "search domain" and NRPT interfering
in interesting ways - to make "search domain" work (aka "append these domains
to unqualified hostnames") the search domain + DNS server need to be
configured on the VPN interface. To make "resolve domain" work in non-
surprising ways (aka "query that nameserver for these domains *and only*
for these domains") the DNS server must not be added to the VPN interface...
In mobile environments with DNS64 and other surprises, querying "all DNS
over the normal WAN, and only corp-internal resolve-domains via VPN" is
the expected behaviour - so what we did so far (resolve-domains go to
the VPN only, everything else *goes to all DNS servers*) was surprising,
and breaks certain scenarios...
So this does
- if there is a search-domain
- or if there is *no* resolve-domain
- set the DNS on the adapter ("to be used by normal windows DNS processing")
what is not affected by the patch is what we already have
- if there is a resolve-domain, set up a NRTP rule ("for this domain,
query these nameservers [only]")
More details in https://github.com/OpenVPN/openvpn/issues/473 ...
Thanks, Selva, for testing this so quickly :-) - I have only stared at the
code, thought about the logic, and tried to make this explanatory e-mail
as clear as possible.
Your patch has been applied to the master branch.
commit f7afbc511b9d30b27d0b6bbb3ee02dfb1abea646
Author: Heiko Hund
Date: Wed Dec 10 08:29:44 2025 +0100
iservice: set adapter DNS only with search domains
Signed-off-by: Heiko Hund <[email protected]>
Acked-by: Selva Nair <[email protected]>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1429
Message-Id: <[email protected]>
URL:
https://www.mail-archive.com/[email protected]/msg34968.html
Signed-off-by: Gert Doering <[email protected]>
--
kind regards,
Gert Doering
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
