How to use two different private DNS servers (one behind a VPN)

Consider the following scenario:

I am connected to a local area network with it's own private DNS server (call it lan-dns). This DNS server is used to resolve the names of some private hosts on the LAN. Any other DNS requests are forwarded to a DNS server on the Internet.

I want to connect to another remote LAN via a VPN. The remote LAN also has a private DNS server (named vpn-dns for arguments sake) which is needed to resolve the names of the private hosts on the remote network.

When not connected to the VPN I will be able to access the hosts on my LAN by their names. However when I am connected to the VPN then, since the DNS of the remote network overrides that on my local network, I will not be able to access the hosts on my local network.

Whilst connected to the VPN if I force my DNS server back to lan-dns then I won't be able to resolve the names of hosts on the remote network.

What is the simplest way to resolve this problem? Is it even possible?

This scenario must be becoming more and more common, yet there doesn't seem to be an elegant solution that I can find.

FixMaker

Posted 2013-05-01T15:00:29.797

Reputation: 161

It depends on what the server admin allows you to do... vpn would not be as secure if it allowed clients to talk to people not in the vpn club with them – Canadian Luke – 2013-05-01T15:03:35.067

What OS are you running? Does the machine you're using as a VPN client travel with you, or is it always on the LAN where lan-dns acts as a resolver? – Aaron Miller – 2013-05-01T15:09:42.017

@AaronMiller - the OS could be Windows or Linux. For the moment, it's safe to assume that the VPN client machine will always be attached to the local network; would it make a difference if it wasn't? – FixMaker – 2013-05-01T15:14:50.867

How you would go about doing this depends on how the VPN connection is made. What type of connection is the VPN using? Why don't you just use a hosts file for this? – Ramhound – 2013-05-01T15:18:18.737

@Ramhound - The connection is made via OpenVPN. I can't use a static hosts file as there will actually be multiple VPN clients and I don't want to have to maintain a file on each individual client. – FixMaker – 2013-05-01T15:21:16.077

@Lorax - It should be possible to simply configure the network connection always use the VPN DNS server. The fact the Nameserver would be invalid wouldn't matter provided the domains selected, are not valid domain extensions, for example "dog.puppy" cannot be a valid domain unless a DNS server says it is. – Ramhound – 2013-05-01T15:30:00.843

What are the domains involved? It may be possible to solve this with zone delegation or zone transfers. – Nevin Williams – 2013-05-01T18:01:09.637

Answers

On the IP level, What you are looking for is called Split Tunneling, and it is configured from the client (at least in non-managed scenarios). it allows requests to local lan addresses to use your local (logical) network, and requests to remote lan addresses pass through the VPN tunnel. if split tunneling is not enabled, the host connected to the VPN will not be able to communicate with other machines in the local lans IP range at all, so its more than just a dns resolution issue. with split tunneling enabled, if you will be accessing the Intranet, your default route must point to a gateway on the local lan, or there will be ambiguity as to which network to use.

the issue here however is DNS. windows (and linux as well) tie the DNS server configuration to the local interface, not to the individual routable connections, meaning that you will only ever be able to use one DNS server at a time and cannot select one conditionally based on destination address. Try looking at running DNSMasq on the VPN'ing PC as described here: http://blog.nixpanic.net/2013/03/use-dnsmasq-for-separating-dns-queries.html

Frank Thomas

Posted 2013-05-01T15:00:29.797

Reputation: 29 039

sorry this is like 2 years late, but you can't. like I said, DNS is per interface, and is not dynamic in that it doesn't make any choice at all based on what name you are resolving. – Frank Thomas – 2015-01-14T13:17:06.297

Can you explain to me how Windows (or Linux) can determine which DNS server to use based on the name you are trying to resolve? I guess first you need to look up a host name to retrieve it's IP address. Based on the IP address and routing tables the computer can decide which connection should be used. – gogognome – 2013-10-14T06:53:26.060

See my answer to this superuser question for the simplest solution, with screenshots and a basic explanation of the underlying issue.

Jerry W Jackson

Posted 2013-05-01T15:00:29.797

Reputation: 120

No, DNS != routing in any case. The resolver maintains its own list of nameservers and is quite different than a routing table. Just because you turn off the setting causing the VPN to overwrite your default route and other routes does not mean the resolver will automagically know on its own when to send DNS queries for certain domains to one nameserver versus the other. The correction to the routes only makes them both reachable. The resolver will try the first nameserver it knows about, but will only attempt the next one if it times out with no response (so NXDOMAIN responses do not count). – Brian Cline – 2016-06-17T15:54:54.113

I'm sorry, but I can't see how that would fix the DNS issue. When I'm connected to both networks routing isn't an issue (I'd be able to access hosts on either network directly, using their IP address, but not by using their host name). As Frank Thomas mentioned in his answer it seems that most OS's can only use one DNS server at a time, regardless of how the routing is set up.

– FixMaker – 2013-05-02T06:48:39.883

Routing is DNS in this case. All my solution does is make sure DNS works for both networks when both are connected so that you don't have to use IPs for the local network when connected to the VPN. It seems that you are unnecessarily trying to complicate a rather simple issue. – Jerry W Jackson – 2013-05-02T17:57:14.220