Split DNS/ VPN Split tunnelling
Tim Maestas
tmaestas at dnsconsultants.com
Wed Nov 14 05:58:21 UTC 2001
I haven't heard of this behaviour either. Cisco's
VPN solution, and definition of "split tunneling" is
that the VPN concentrator provides the client with
a list of secured routes, basically all the networks
that are considered "internal", or part of the corporate
network. If your packets' destination address falls
in one of the secured networks, it is sent across
the VPN, otherwise your regular default route applies.
The way this affects DNS depends. The VPN concentrator
provides a list of DNS servers for the client to use.
The way we set it up at my company was to setup BIND
servers that did type forward zones for all zones that
were considered "internal" to the company. These zones
were forwarded in to the internal company DNS servers. Everything
else was recursively resolved by the VPN DNS servers
with internet root hints. Pretty much everything in the
company that can be accessed from the internet, can also
be accessed internally, using the internal dns servers,
with internally routeable addresses.
-Tim
On Tue, 13 Nov 2001, Kevin Darcy wrote:
>
> What kind of VPN software "shotguns" queries at a bunch of nameservers
> simultaneously?
>
> And why are the nameservers giving inconsistent answers?
>
> Seems like there is some sort of architectural problem here. I haven't looked
> at it too closely, but the (Nortel) VPN software we use doesn't seem to have
> this problem, even though we use a split DNS architecture. I'll check it out
> when I get home tonight, if I can remember...
>
>
> - Kevin
>
>
> laura.l.herndon at accenture.com wrote:
>
> > We currently have a split DNS architecture where our public zone is
> > different from our internal zone. We are planning to implement VPN with
> > split tunnelling, and foresee the following problem - DNS requests will be
> > 'shotgunned' out both connections and both servers will respond with
> > different information (especially in the case of internally accessible only
> > devices in the 10.x.x.x range).
> >
> > As far as I can tell, DNS accepts the first response it gets back. We're
> > so far not able to view the IPSec traffic created by the VPN client, so I
> > don't know if the two requests have the same request number in them. I'd
> > like to know how the resolver handles getting two different responses
> > (nonexistent host from the external NS and the IP from the internal NS).
> >
> > Any insight would be helpful - reading the RFCs hasn't really provided any
> > insight (and I suspect this is not a common situation) and we'd like to
> > find a way to do this without going to a single domain model (which is
> > guaranteed to cause us many, many headaches).
> >
> > Thanks,
> > Laura
> >
> > Laura L. Herndon
> > Accenture - CIO Technology Services - Network Services - Data Network
> > Optimization
> > Phone: 214-672-4048 Cellular: 214-893-5383 Numeric Pager:
> > 888-352-0578
> > Text Pager: 8883520578 at airmessage.net email:
> > laura.l.herndon at accenture.com
> >
> > This message is for the designated recipient only and may contain
> > privileged, proprietary, or otherwise private information. If you have
> > received it in error, please notify the sender immediately and delete the
> > original. Any other use of the email by you is prohibited.
>
>
More information about the bind-users
mailing list