Hi there I just got whacked with a Win8 client running openvpn having a "where do I get my DNS answers from" issue, so I just wanted to ask what explicitly happens WRT DNS so that we all could understand the process better.
So this is what I think happens with Windows clients using openvpn tunnels from (say) a "home network" (although I'd suspect the same goes true for all VPN tech) 1. Windows computer has a single working network connection, with DNS pointers (we'll refer to them as "Internet DNS servers") 2. openvpn starts and uses Internet DNS servers to get IP addresses of openvpn router and connects to it. The server then pushes down what the "Intranet DNS servers" for the remote site are (eg company network) 3. from now on, the Windows machine will do DNS lookups via sending *all* requests to the *Intranet* DNS servers. Only if the *Intranet* servers *don't* respond (note: "no such host" is a response) would it retry using the *Internet* DNS servers. ie when the tunnel is working, all DNS queries go over the VPN 4. eg "intranet.company.dns" would resolve, whereas "local.home.network" would not, or would resolve to the Internet address if it exists (because the Intranet DNS servers were used) and "www.google.com" would resolve and give the same IP address regardless 5. if the tunnel goes down, openvpn would retry connecting - possibly using the Intranet DNS servers - which would timeout. So it would retry and by then Windows would finish tearing down the tunnel enough to mean the Internet DNS servers were now the only option - so that would work and therefore go back to "1" Does that sum it up? A lot of the time the problem is that what people want is for the local Internet DNS servers to be used for all DNS *except* the DNS domains pushed down via the openvpn server - but I don't think Windows supports that. Under Ubuntu (which always uses dnsmasq via 127.0.0.1 for all DNS), this is manually achievable: I have dnsmaq override files to tell dnsmasq to forward queries for "*.company.dns" to the appropriate intranet DNS servers irrespective of the state of the openvpn tunnel (ie they'll fail if it's not running, but that's OK because they'd fail anyway) Have I got it correct? Thanks -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
