[VPN] Re: Cisco VPN and split DNS
On 4/10/06, Lee Sweet <email@example.com> wrote:[color=blue]
> [I looked in the archives a bit and can't find anything like this.
> If this has been discussed, let me know. I can't see a way to
> search, though...]
> Situation: Branch office of ours needs to connect to home office for
> email and other resources. They use Cisco VPN client version
> 4.6.03.0021 connecting to Cisco 3000 concentrators. They also need
> to have simultaneous access to local resources.
> Problem: The DNS issue is that their primary DNS (when not using
> VPN) is usually the local internal (inside the firewall) one. It has
> a number of entries that are not in the one the VPN client points
> too, the home office internal nameserver.
> So, when they are connected to the home office, name resolution
> requests for local resources fail. (Host name or FQDN, doesn't
> matter, of course, since it's using the home DNS.)
> Cisco seems to think the sort of split DNS resolution we want is
> doable, so "it's a problem with the DNS config at that site".
> Is the client actually made to route the DNS requests for one domain
> to one DNS server and all others to another (the hardwired
> interface?) or what? If so, how? We have the domain name set
> correctly in the VPN server config, so we would think only requests
> for this domain (home office) would be routed to the DNS server
> hooked to the VPN interface, and all others (local, external) would
> go to the local DNS server. But, not so.[/color]
I can't speak for windows but on OS X you are able to route dns
requests on the client by domain. It can be done by creating a file
called example.com in the /etc/resovler directory and putting the ip
of the nameserver to use in that file. All dns requests for
example.com will be sent to that DNS server. I am not sure if this is
specific to Apple's implemenation of the resolver library or if it
works on other Unix like systems.
> Am I totally confused on some point here, or is this broken?
> Obviously, we can get this to work by duplicating all local entries
> in the home office DNS, but if split DNS is actually supposed to
> work, it would be nice not to have to duplicate/maintain those
> Thanks for any comments or pointers to answers!
> Lee Sweet
> Datatel, Inc.
> Senior Telephony and Communications Specialist
> How higher education does business.
> Voice: 703-968-4661
> Cell: 703-850-2385
> Fax: 703-968-4625
> VPN mailing list
VPN mailing list