# Policy Question: DNS resolution of VPN services

## ribx

Hi,

I have the following problem: I am connected the whole day to my VPN connection at work. We have several services that are not reachable through the internet directly (for security reasons).

My problem: how should I implement DNS? I can think of 3 possiblities

1. Use an own DNS Server of the company over VPN.

2. Install a local solution like dnsmasq on your computer.

3. a) place all your DNS info of your private network at your DNS Hoster

3. b) redirect all DNS request from your Hoster to your public DNS Server, which returns IPs of the private network of the VPN

Currently we have solution 3b running.

Here the problems:

1. Having a DNS server inside the VPN makes you not only depending on VPN connectivity for browse and use the internet, but also lowers your browsing speed, as this server is not as fast as the ones provided by ISPs. That's not a solution for me.

2. That's too much work and does not work for non linux users (and I don't want to find a different solution for every employee).

3. not working as expected: Some DNS Servers of IPSs ignore DNS anwers with private IPs totally, some only sometimes (?!? I don't know why, but an nslookup fails in 80% of the times with my ISP while Google works always.

Is there another solution? How do you/would you handle this?

Thank you for any hint.

-ribx

----------

## salahx

Unfortunately split tunnels do not work well with split DNS.. If you have no control over the clients, there's really only 2 options: Either full tunnel (and thus all Internet traffic gets routed over the VPN) - which is Option 1, or drop split DNS and allow all server named to be resolved over the Internet (but of course, although the names will be resolvable, they won't be reachable without the VPN) -which is option 3a. Option 1 is unworkable in the presence of multiple VPNs, but option 3a means disclosing private network data on the Internet (however, DNSSec already requires 3a anyway)

.

However, if servers have non-routable (RFC 1918) IPs, even 3a might not work: Some DNS servers (And in particular, dnsmasq, which is part of many consumer routers) refuse to resolve hosts with non-routable IP's to prevent DNS rebinding attacks.

----------

## szatox

What about using company's DNS and caching DNS on your own PC?

You could then route company-related traffic via VPN and send the rest directly to the internet. If tunel breaks, you still have your (fast) cache, and if you try to access some new address it should fail over to some other DNS server you have configured

----------

## Hu

Use option 1 in conjunction with mount namespaces and possibly network namespaces, so that your VPN-using programs see a VPN-enabled resolv.conf and your non-VPN-using programs see a resolv.conf that uses your ISP.  This requires a VPN-using program to always use the VPN-provided nameserver, but otherwise works well.

----------

