Query specific nameserver for a particular domain upon VPN connect

3

2

Some background: I have a work laptop with Ubuntu 9.10 on it. I have a small network at home where I've been running some basic services (for myself/my family) for 10 some years. In my home network there is a nameserver (Fedora) running Bind 9 with two "views". One view is the "outside" view and it provides name resolution (to the Internet at large) for email, a wiki, and a couple of blogs. The "inside" view provides name resolution (to the internal RFC1918 addresses of theses servers) as well as all the inside hosts, network equipment, ...etc.

I connect with an openvpn client to my home network from outside (such as work). What I'd like to be able to do is resolve names on my internal network across this VPN (so I get the RFC1918 "inside" responses) without fully changing my resolver to the DNS server at my hose.

For example, if I connect to the VPN from work, I can change my resolver (by editing resolv.conf) to the DNS server at my house (across the VPN) and then successfully resolve all of the inside DNS names on my home network. The issue I have with this is that now I'm no longer able to resolve "inside" names provided by my work's DNS servers (because I'm using my home DNS server).

Alternatively, I can connect to the VPN and access my home severs via IP addresses directly, but this is inconvenient and causes issues with Apache name-based hosting (among other things).

In the end, the effect I'm trying to achieve is as follows:

  1. When I connect to the VPN I automatically start sending DNS requests for *.myhomedomain.com to my home nameserver, but any other requests continue to go the the nameserver I was using before (the one I received on my company LAN via DHCP).

  2. When I disconnect the VPN, requests for *.myhomedomain.com go back to the local LAN DNS server (e.g. all requests are going there now).

I'm looking for suggestion at to how this can be accomplished.

MT.

Posted 2010-04-27T21:58:44.297

Reputation: 505

Answers

1

dnsmasq running locally will let you do all sorts of stupid resolver tricks. Note that someone doing stupid DNS tricks (like returning a web page on resolver failure) will interfere.

Ignacio Vazquez-Abrams

Posted 2010-04-27T21:58:44.297

Reputation: 100 516

+1 "will let you do all sorts of stupid resolver tricks" then "Note that someone doing stupid DNS tricks ... will interfere"

Nice :P – Harley Watson – 2010-04-27T22:24:43.890

1Yeah, I've used dnsmasq in the past - it can be pretty useful. In this case though it doesn't appear to help achieve my goal without adding significant complexity. I realize I could install DNS software on my laptop (such and dnsmasq or bind) and manually script out something that edits the .conf file, adds an appropriate forwarder and then kill -HUPs' the process upon connecting and then does it all in reverse upon disconnecting. However this is quite elaborate for what I'm trying to do here and will also likely conflict with local name resolution while at work. Hoping for something simpler. – MT. – 2010-04-27T22:48:33.503

1

I realize this would probably require running a name server on your local workstation at work, and probably a lot of testing and fiddling so I don't know if it would be worth your while.

You might be able to use forwarding to accomplish what you want. You can have a name server forward all queries to one or more other name servers and you can have a name server forward queries for one or more particular zones to another name server using zones of type "forward".

So you might be able to install a name server on your workstation at work that forwards to your regular work DNS servers via a forwarders statement in the options{} section, but forwards queries for your home domain to your home DNS by having a forward zone that is specifically for your home domain. This leaves the problem of how to have *.myhomedomain.com queries go back to your local LAN DNS server after you disconnect the VPN. You might get around that by listing more than one forwarder in your forwarding zone, leaving the 1st forwarder pointing to your home DNS and the 2nd forwarder pointing to your local LAN DNS server.

Marnix A. van Ammers

Posted 2010-04-27T21:58:44.297

Reputation: 1 978

This does makes sense, and is currently the only option I'm aware of. The scripting to get it working would get very involved I think. (adding/removing forwarders based the servers assigned via dhcp as well as the vpn connection state and then restarting the nameserver to reread the config, ...etc). I'm really hoping there is a more straight forward way. – MT. – 2010-04-27T22:53:22.433

Asked: 2010-04-27T21:58:44.297

Viewed: 1 323 times

Active: 2010-04-27T22:47:10.607