How to set up DNS-like access for private IP addresses on a VPN?

Question

It is suggested in this question that it's not a good idea to expose a private IP address via a public DNS entry. My question is then what's an elegant and easily maintainable way to allow multiple users on diverse platforms (Mac/Windows) connecting to a VPN to use a standard centralized address naming schema without asking them all to hack their hosts files (which really isn't an option in my case)?

Clarification: I've set up several services on the private network like Cacti and I want to let internal users access these services via http://cacti.our-domain.com so they don't have to type/remember/bookmark the private VPN-only IP addresses.

It's also said in that question that it's not a bad idea. I still say just stick the names in the public DNS and be done with it. — womble, Oct 07 '09 at 03:19

score 2 · Accepted Answer · answered Oct 06 '09 at 19:50

2

Use DNS.

If you're concerned about public access to names that resolve to private addresses, you can either run an internal DNS server that's publicly inaccessible that forwards to a more general-purpose DNS server, or use a DNS server that will restrict access to parts you don't want people to see.

answered Oct 06 '09 at 19:50

wfaulk

6,828
7
45
75

"...you can either run an internal DNS server that's publicly inaccessible..." - please forgive my ignorance of how VPNs and DNS work but when I connect to a PPTP VPN can/does it use a DNS server specific to that connection for requests that go down that pipe? or would I have to set up DNS entries on each client machine (which is a deal breaker)? Thanks. – Teflon Ted Oct 15 '09 at 13:20
It depends on the VPN client, unfortunately. Some have that feature; others don't. – wfaulk Oct 15 '09 at 14:17

score 0 · Answer 2 · answered Oct 06 '09 at 19:52

I'm not exactly sure what you're asking.

We have VPN and it exists on a public IP address with no specific DNS entries for it...the users have to put in the ip address in the address bar.

The internal DNS server gives them access to local resources by name w/out exposing the names to the outside world.

score 0 · Answer 3 · answered Oct 06 '09 at 20:23

0

I just had a look at the question you posted to, and whilst it's not really abiding by any particular convention, as they said, security through obscurity is not really security.

As stated in your previous question, without setting up an internal DNS on your network (if you have an AD you already an internal DNS mind you), there's pretty much no way of doing it.

Just put it in your public DNS and be done with it ;)

answered Oct 06 '09 at 20:23

Mark Henderson

68,316
31
175
255

Sorry, what's an AD? – Teflon Ted Oct 06 '09 at 20:40
Active Directory – Mark Henderson Oct 06 '09 at 20:43

How to set up DNS-like access for private IP addresses on a VPN?

3 Answers3