Split DNS/ VPN Split tunnelling
Kevin Darcy
kcd at daimlerchrysler.com
Wed Nov 14 04:52:08 UTC 2001
What kind of VPN software "shotguns" queries at a bunch of nameservers
simultaneously?
And why are the nameservers giving inconsistent answers?
Seems like there is some sort of architectural problem here. I haven't looked
at it too closely, but the (Nortel) VPN software we use doesn't seem to have
this problem, even though we use a split DNS architecture. I'll check it out
when I get home tonight, if I can remember...
- Kevin
laura.l.herndon at accenture.com wrote:
> We currently have a split DNS architecture where our public zone is
> different from our internal zone. We are planning to implement VPN with
> split tunnelling, and foresee the following problem - DNS requests will be
> 'shotgunned' out both connections and both servers will respond with
> different information (especially in the case of internally accessible only
> devices in the 10.x.x.x range).
>
> As far as I can tell, DNS accepts the first response it gets back. We're
> so far not able to view the IPSec traffic created by the VPN client, so I
> don't know if the two requests have the same request number in them. I'd
> like to know how the resolver handles getting two different responses
> (nonexistent host from the external NS and the IP from the internal NS).
>
> Any insight would be helpful - reading the RFCs hasn't really provided any
> insight (and I suspect this is not a common situation) and we'd like to
> find a way to do this without going to a single domain model (which is
> guaranteed to cause us many, many headaches).
>
> Thanks,
> Laura
>
> Laura L. Herndon
> Accenture - CIO Technology Services - Network Services - Data Network
> Optimization
> Phone: 214-672-4048 Cellular: 214-893-5383 Numeric Pager:
> 888-352-0578
> Text Pager: 8883520578 at airmessage.net email:
> laura.l.herndon at accenture.com
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise private information. If you have
> received it in error, please notify the sender immediately and delete the
> original. Any other use of the email by you is prohibited.
More information about the bind-users
mailing list