1
1
I've setup a VPN on my Windows 7 machine.
Currently the W7 box is setup to use the router as the DNS Server which is fine, however what I would like to do is to say:
Any user who connects via VPN, use these DNS servers.
Is this possible, or would it have to be configured on each client?
K20GH
Posted 2012-09-06T22:56:10.747
Reputation: 167
0
I don't use Windows 7, but it's unlikely Windows 7 Home editions support that level of control. Windows Server editions can.
Here's some possible solutions if Windows can't do it:
Make your router the VPN server instead, and use it to provide DNS. Most routers use Dnsmasq as the DHCP + DNS server, and it support what you want to do. It can hand out different DNS server during the DHCP phase, or it can forward DNS request to different DNS servers based on LAN IP range or requested domains. If your router doesn't allow you to configure Dnsmasq's DHCP/DNS settings at such level, you can install custom firmware (e.g. DD-WRT, Tomato) on many routers that will allow you to add raw Dnsmasq options. This is the preferred option from a networking standpoint, as VPN server really should sit on the edge, and dnsmasq rocks.
Use Dnsmasq on the router to forward DNS request based on source IP, but leave Windows 7 desktop as the VPN server. It's same as #1 in terms of DNS resolution: Your VPN client and your desktop will use the same DNS server (the router), but the router will forward DNS requests to different servers based on source IPs. But this will work only if VPN->LAN is either routed or bridged, not NATed by Win7, otherwise the router will see VPN clients with same source IP as the Windows 7 desktop and can't forward DNS separately.
If your router doesn't allow you to edit dnsmasq config nor support custom firmware: Install a DNS server software with support for multiple forwarding on your Windows 7 machine, edit the Windows 7 machine's TCP/IP setting to point to this DNS server ONLY (i.e. localhost 127.0.0.1, or the VM's IP if running dnsmasq in a VM). Then have this DNS server software forward DNS request to different DNS servers based on source IP.
See https://stackoverflow.com/questions/7709744/is-there-something-like-dnsmasq-for-windows for some suggestions on Windows DNS server software, or you can run a tiny linux VM and run dnsmasq in it.
Personally I run Tomato on my router, and forward DNS requests to different DNS servers based on requested domain name. Some useful links:
list of Tomato mods: http://www.linksysinfo.org/index.php?threads/tomato-modifications.26037/
supported hardware: http://tomatousb.org/doc:build-types
Open WRT: http://openwrt.org
Gargoyle firmware: http://www.gargoyle-router.com/
EDIT:
In response to your comment that you want to "use your Win7 box without having it pushing all the DNS traffic", I think there are a few questions need to be cleared up:
I could be wrong but I think you can't assign a different DNS server to VPN clients with Windows 7 built-in VPN server. Unless there's a registry setting to do this. I tried googling it but couldn't find anything. Maybe someone else can be of more help to you.
If you want VPN clients to receive an off-site DNS server, they won't be able to resolve local hostnames on your network and they can only address LAN resources by IPs. How do you intend them to address LAN resources? What is your actual use case?
DNS traffic from VPN clients should be minimal and it should not be the first traffic volume issue you likely to run into. Are you sure it's only DNS traffic that's your concern, not general traffic? Are your VPN clients using the VPN connection as the default gateway so that all traffic is routing through the VPN, thus causing your problem? (I believe you want "Use remote network as default gateway" to be off in your VPN clients.)
It seems like you don't just want to control what DNS server the VPN clients receive as your original question suggest, but control how the VPN clients route their traffic (whether through the VPN or their internet connection). The VPN clients will always have the option to use your local network as a default route for all internet traffic, use your DNS for default resolution, broadcast traffic will always come in, etc. You can block any of them using a firewall but the packets will have already come thru the pipe at that point. So I'm afraid you'll have to manually configure the VPN clients properly as well no matter what you do on the LAN side.
You might also want to make sure the connection order on the VPN clients is properly set to use internet connection first. See https://serverfault.com/questions/163401/change-the-order-of-dns-lookup-when-connected-in-the-vpn
Hope you'll find the solution that works for you.
goofrider
Posted 2012-09-06T22:56:10.747
Reputation: 146
Thanks. I actually use Windows 7 Ultimate edition so has the VPN functionality. The reason I only wanted VPN traffic to use a specific DNS and not the global W7 DNS was so that I can use my W7 box without the need of pushing all traffic through this DNS. Unfortunately i've only got a BT HomeHub so I can't flash it and the only VPN functionality is so it can pass it through the router – K20GH – 2012-09-07T08:02:24.657
What I mean is that only Windows Server has fully configurable DHCP/DNS/VPN server. There might be a hidden registry setting to do this but I doubt it. I tried googling that but nothing turned up. SOme of your requirements also seems to be in conflict, I'll extend the main answer to ask you a few more things in detail. – goofrider – 2012-09-11T20:17:02.540