Split DNS/ VPN Split tunnelling

Tim Maestas tmaestas at dnsconsultants.com
Wed Nov 14 05:58:21 UTC 2001 


	I haven't heard of this behaviour either.  Cisco's
	VPN solution, and definition of "split tunneling" is
	that the VPN concentrator provides the client with
	a list of secured routes, basically all the networks
	that are considered "internal", or part of the corporate
	network.  If your packets' destination address falls
	in one of the secured networks, it is sent across
	the VPN, otherwise your regular default route applies.

	The way this affects DNS depends.  The VPN concentrator
	provides a list of DNS servers for the client to use.
	The way we set it up at my company was to setup BIND
	servers that did type forward zones for all zones that
	were considered "internal" to the company.  These zones
	were forwarded in to the internal company DNS servers. Everything
	else was recursively resolved by the VPN DNS servers 
	with internet root hints.  Pretty much everything in the
	company that can be accessed from the internet, can also
	be accessed internally, using the internal dns servers,
	with internally routeable addresses.

-Tim


On Tue, 13 Nov 2001, Kevin Darcy wrote:

> 
> What kind of VPN software "shotguns" queries at a bunch of nameservers
> simultaneously?
> 
> And why are the nameservers giving inconsistent answers?
> 
> Seems like there is some sort of architectural problem here. I haven't looked
> at it too closely, but the (Nortel) VPN software we use doesn't seem to have
> this problem, even though we use a split DNS architecture. I'll check it out
> when I get home tonight, if I can remember...
> 
> 
> - Kevin
> 
> 
> laura.l.herndon at accenture.com wrote:
> 
> > We currently have a split DNS architecture where our public zone is
> > different from our internal zone.  We are planning to implement VPN with
> > split tunnelling, and foresee the following problem - DNS requests will be
> > 'shotgunned' out both connections and both servers will respond with
> > different information (especially in the case of internally accessible only
> > devices in the 10.x.x.x range).
> >
> > As far as I can tell, DNS accepts the first response it gets back.  We're
> > so far not able to view the IPSec traffic created by the VPN client, so I
> > don't know if the two requests have the same request number in them.  I'd
> > like to know how the resolver handles getting two different responses
> > (nonexistent host from the external NS and the IP from the internal NS).
> >
> > Any insight would be helpful - reading the RFCs hasn't really provided any
> > insight (and I suspect this is not a common situation) and we'd like to
> > find a way to do this without going to a single domain model (which is
> > guaranteed to cause us many, many headaches).
> >
> > Thanks,
> > Laura
> >
> > Laura L. Herndon
> > Accenture - CIO Technology Services - Network Services - Data Network
> > Optimization
> > Phone: 214-672-4048       Cellular: 214-893-5383       Numeric Pager:
> > 888-352-0578
> > Text Pager: 8883520578 at airmessage.net      email:
> > laura.l.herndon at accenture.com
> >
> > This message is for the designated recipient only and may contain
> > privileged, proprietary, or otherwise private information.  If you have
> > received it in error, please notify the sender immediately and delete the
> > original.  Any other use of the email by you is prohibited.
> 
>

More information about the bind-users mailing list