On 15/11/14 23:10, Jan Just Keijser wrote: > I'm not sure exactly how it works in Windows 8, but in older versions > of Windows there's the dns caching service which caches results. When > an OpenVPN client connects the new DNS servers are not picked up > immediately - sometimes a > net stop dnscache > net start dnscache > is needed for Windows to pick up the new servers. I am not sure if > this still applies to Windows 8, but IIRC the commercial OpenVPN > client did exactly this (net stop + net start).
Actually it ended up being a red herring. Unknown to me, the openvpn server was set up to push routing 192.168/16 over the tunnel - and the Win8 host was on a 192.168 network with a 192.168 DNS server. That should never have been done - we want "split tunnel" and so we only route 10/8 over the tunnel (and yes it would still break for people using 10.* at home - but we can live with that corner case) Once the ccd/DEFAULT was changed to remove 192.168 and the machine reconnected, their local DNS started working again and now what we see is as follows 1. Windows computer has a single working network connection, with DNS pointers (we'll refer to them as "Internet DNS servers") 2. openvpn starts and uses Internet DNS servers to get IP addresses of openvpn router and connects to it. The server then pushes down what the "Intranet DNS servers" for the remote site are (eg company network) 3. from now on, the Windows machine will do DNS lookups via sending *all* requests to *all* DNS servers. The first server to respond with an answer wins. Note that "nslookup" will only use the default DNS, whereas "ping" and applications will correctly go through both the Internet and Intranet DNS before giving up I used wireshark to prove this. It's really good but does leave the corner case that looking up the name of (say) a company website that exists on the Internet and on the intranet (with a NATed address) becomes a bit of a "flip the coin" event in regards to what value is returned. If your VPN DNS servers resolve it quicker than your Internet resolver, we'll get the 10.* address - otherwise the Internet address. That will cause confusion in some situations Still - it's better than I hoped for :-) PS: yes, Win8 has a "DNS Client" service. So does Win10 -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
