Split DNS/ VPN Split tunnelling

Kevin Darcy kcd at daimlerchrysler.com
Wed Nov 14 04:52:08 UTC 2001 

What kind of VPN software "shotguns" queries at a bunch of nameservers
simultaneously?

And why are the nameservers giving inconsistent answers?

Seems like there is some sort of architectural problem here. I haven't looked
at it too closely, but the (Nortel) VPN software we use doesn't seem to have
this problem, even though we use a split DNS architecture. I'll check it out
when I get home tonight, if I can remember...


- Kevin


laura.l.herndon at accenture.com wrote:

> We currently have a split DNS architecture where our public zone is
> different from our internal zone.  We are planning to implement VPN with
> split tunnelling, and foresee the following problem - DNS requests will be
> 'shotgunned' out both connections and both servers will respond with
> different information (especially in the case of internally accessible only
> devices in the 10.x.x.x range).
>
> As far as I can tell, DNS accepts the first response it gets back.  We're
> so far not able to view the IPSec traffic created by the VPN client, so I
> don't know if the two requests have the same request number in them.  I'd
> like to know how the resolver handles getting two different responses
> (nonexistent host from the external NS and the IP from the internal NS).
>
> Any insight would be helpful - reading the RFCs hasn't really provided any
> insight (and I suspect this is not a common situation) and we'd like to
> find a way to do this without going to a single domain model (which is
> guaranteed to cause us many, many headaches).
>
> Thanks,
> Laura
>
> Laura L. Herndon
> Accenture - CIO Technology Services - Network Services - Data Network
> Optimization
> Phone: 214-672-4048       Cellular: 214-893-5383       Numeric Pager:
> 888-352-0578
> Text Pager: 8883520578 at airmessage.net      email:
> laura.l.herndon at accenture.com
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise private information.  If you have
> received it in error, please notify the sender immediately and delete the
> original.  Any other use of the email by you is prohibited.

More information about the bind-users mailing list