Slashdot Mirror
Dealing With ISPs That Use NXDomain Redirection?
Vrtigo1 writes "I work for a small company that has about 50 staff on the road relying on VPN back to our office at any given time. Many ISPs have implemented NXDomain redirection services that hijack DNS traffic to show you sponsored links and other related ads when you mistype a domain name. These services are incompatible with most VPN software, since they prevent the computer from resolving internal hostnames. Large ISPs typically provide an opt-out on their sponsored links page that immediately opts you out of the DNS redirection, but I've noticed that some smaller ISPs and CLECs have opt-out links that don't actually appear to do anything. I don't have a good solution for employees using these ISPs, and our employees are getting frustrated because the problem is becoming more prevalent and we can't fix it for them. I've tried calling a few of these smaller ISPs for help, but it's been like talking to a wall. Manually changing DNS servers works temporarily, but the user can't resolve internal hostnames when they connect to the office LAN again. Have you had to deal with ISPs using non-standard DNS servers? What is your solution?"
If the small local ISP is screwing up, and refuses to respond in any useful way despite your best repeated efforts, it sounds like its time to take your business elsewhere, maybe to one of those large ISPs you mentioned. And make sure you tell them WHY. Who know, maybe the threat alone will be enough to get them to make a sudden change in policy for you, with a month or two of free service to boot.
Last time I setup a VPN, was with a Cisco PIX firewall, (its been awhile) but there was a spot to specify which DNS servers to use when connected to the VPN. I had specified that when connected, they would use our DNS, since they otherwise couldn't resolve \\file-server\share or whatever..
What are we going to do tonight Brain?
Have you tried Open DNS, I have used it for years with great results. If you are actually signed in and not just using there DNS server entries in TCP it miiiiiiiight get you around your problem.
That is all.
to force use of internal DNS servers while connected.
Done.
If you're splitting your connection between a VPN tunnel and a non-VPN protected internet connection, you're a security risk to your infrastructure.
Have your administrator configure full tunnel support where ALL of your traffic goes through the encrypted tunnel. That solves a security problem AND it fixes your DNS problem because you don't use your local internet provider's DNS servers.
Check out my sysadmin blog!
Enough Said
Go to hell story tag. Fucking burn. I hate you.
Sincerely, AC
http://en.wikipedia.org/wiki/Split-horizon_DNS
www.opendns.com
Cablevision was going to use NX DNS redirection but stopped because sometimes it interfered with businesses intranet. When he had it for its brief life- we had options to have it enabled or disabled.
We had this exact problem for our Windows users. The solution was to force Windows to use our internal DNS server first when connected to the VPN. We accomplished this with a custom program that changed some registry and system values. Unfortunately I do not have the list of changes -- that was a lifetime ago.
Failing that...
Why does manually changing DNS servers work only temporarily? Can't you just host a DNS server and give your employees the IP for that? It'd mean having to service DNS requests for all your employees private internet usage plus it might break some CDNs but it seems like the simplest solution.
You could also loan employees suitable ADSL / cable routers that you configure, something with a decent small DNS server in it that you can configure to serve your intranet hostnames but defer to the users ISP for internet hosts. Obviously that's expensive though.
Nick
Other people have better solutions but a quick-and-dirty solution is to hardcode internal addresses in a host file. I won't guarantee this works in every environment though, and it's not a maintainable solution.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
How are VPN users using an external DNS server to resolve internal host names in the first place?
There is a lot of information missing in this question and it seems to be a simple case of setting DNS to an internal DNS server via the VPN end-point.
Our Company webserver and mailservers serve as DNS servers as well.
There are four in total. We are an ISP, but we are dependant on a larger backbone - so we registered our own DNS servers.
Also, DHCP on the lan with your own DNS server on LAN side should be fine, and you can also edit the hosts file if all else fails. We have a few (Vista) laptops where we needed to hardconfig LAN side server addresses in the hosts file - but I suspect this has less to do with nxdomain problems than with a larger config issue between Win2003serv and Vista.
Seven Days with Ubuntu Unity
What's the benefit of blocking your internal DNS? You're firewalled off, or they wouldn't need the VPN. What's going on here is that you're doing something broken - you must have some kind of NXDOMAIN redirector running on the remote machine, and the ISP is doing something wrong, because its NXDOMAIN redirector is fooling your NXDOMAIN redirector. If you just follow the standards, the fact that they have a broken NXDOMAIN redirector wouldn't affect you.
Another option is to set up a DNS resolver that's reachable from outside your network, and also inside your network, but only answers for your internal names if the query comes from inside. Then configure all your VPN machines to always use that nameserver, and not use your ISP's nameserver.
Even if your ISP filters DNS and answers in place of your nameserver, you're okay, because as soon as the VPN is set up, all the queries will go across the VPN (since this server is on your local network). At that point you'll start getting answers for local domains because now the query is coming from a local (VPN) IP address.
This second solution is a bit more work, and of course being a DNS geek I'm biased toward just doing the right thing in the first place, so I recommend just opening up your DNS, but either way ought to work.
There are still small ISPs left where you live?
Would hard-coded IP addresses to a hosts file work?
You can run your own DNS servers... (this opens a lot of other possibilities for it's use as well - such as blocking certain sites at the DNS level, or setting up local domain entries for your internal network (without the expense of registering a domain name or three): just make sure you dont set such up using a real, existing domain name that you may at some time want to visit.
A Linux box with BIND or similar can be a cheap, old box and perform fantastically in this respect. An OS/2 box (if you've got some OS/2 disks or buy a copy of Warp 4 from eBay) can also be a cheap, and ancient box and perform amazingly (you dont need more than a P90 with 64MB RAM - I know... I did this for years for some decently high traffic domains (30,000 unique visits a day)). BIND is available for both OS/2 and Linux, as well as a number of other options for both.
.
You can use OpenDNS or a similar service...
(The formerly run by) UUNet name servers still work and accept connections from anywhere.
On this note, btw, it's not just small ISPs who are doing this... OptOnline is doing this in my area, and we are a business customer with a business connection.
StarTrekPhase2 - The Five Year Mission Continues!
You should ask you IT manager, ;)
oh, you're the IT manager ? hmmm
sudo chattr +i /etc/resolv.conf
Mod parents up, please.
And then we can all go home. This is an easy problem to solve once you see it from the right angle, and that angle is described above.
Kid-proof tablet..
It's been awhile since I looked at OpenDNS, so maybe I'm mis-remembering, but I could swear that OpenDNS's business model is based around generating ad revenue from doing NXDomain redirection, isn't it? If that's the case, swapping one NXDomain redirect for another doesn't seem very productive.
You know, that's a good feature request for Deadwood, code I'm working on now that will eventually become the next-generation recursive DNS resolver for MaraDNS. Have a feature so that, if we get a given IP over DNS, make the reply a "notthere" reply (It's a bad idea to make it a NXDOMAIN).
MaraDNS is an open-source (BSD licensed) DNS server I've been working on for over eight years; right now I'm re-writing the recursive code. Currently, the rewrite of the recursive code is a tiny (32k) DNS forwarding (non-recursive) cache for both Linux and as a native Windows binary.
My goal is to have full recursion supported by the end of 2009.
No VPN software or hardware I ever used does this. It always checks the VPN DNS server first before going to the main one.
Reconfigure your VPN software, something is wrong.
YES, NXDOMAIN redirection sucks, but it does not by default interfere the way you think it does.
If it's servers on your network you need, you could just stick a hosts file entry on their computers to resolve "webserver" to 10.1.200.34 etc.
I use FIOS which does this (annoying as hell) but they do provide DNS servers which don't exhibit this behavior.
For your end users, put a firewall between the user and the internet.
Any old linksys should do, they already have DHCP on them.
Just configure the fw/router with the "opt-out" DNS servers. That way the users won't need any special config on their laptops/desktops.
Option B:
If these are windows clients, can't you just assign different name servers to different network connections?
The VPN adapter can use DHCP to pull the corporate DNS servers.
The "internet" NIC they plug into their cable modem can use the static "opt-out" DNS settings.
Note that this wouldn't work well for Laptop users because they'd have to change their network config when traveling.
When everybody dies in 2012 at least I'll be happy assholes like you will be dying too.
and you won't have to worry about it. Your DNS needs to be coming across your VPN tunnel, not from your ISP. Done.
I seriously don't understand this. Presumably when users are connected to the VPN then there must be some way of resolving internal names, and this can only be done via your own internal DNS. You can't have the DNS of users' ISPs resolving internal names because that would be silly and would obviously fail. Therefore.......use your own DNS while users are connected to the VPN. A lot of VPN software will do this automatically, but I've done this with OpenVPN by pushing down DNS through DHCP and changing the bind order of the interfaces with the VPN at the top. At least on Windows that is.
I have no clue whatsoever why you're trying to talk to ISPs. This is not their problem at all.
Use another ISP.
This guy sounds like a manager or IT worker who is having problems with his employees connecting to the work VPN.
it sounds more like he has not stated the problem correctly.
how is it possible that a VPN connection is doing DNS to an external name server? Should not every internet request flow over the vpn from the client to the server. once it reaches the internal vpn server the server should know how to route the internal addresses and for external addresses it could use an external domain name server. the problem described seems like it should not exist. what am I missing?
Some drink at the fountain of knowledge. Others just gargle.
... and it should be stopped. Forced to stop if no other approach works.
Redirecting my web request to somewhere else, as far as I am concerned, is equivalent to re-routing my snail mail to their own office if someone has moved. That is not acceptable. I want a "not at this address" notice, nothing else.
Why are you not using your own DNS servers! or even use OpenDNS if your not able to set up and administer your own. DNS should configured with in your VPN software. Nothing says you have to use your ISP's resolvers.
Have your remote users connect to an IP address instead of a name and all of your problems are solved.
A logon script here loads a hosts file that null-routes a lot of known bad (spyware, etc) sites.
Could you do the same for your internal hosts so that when on the VPN it doesn't even need to do a DNS lookup?
Don't blame me, I voted for Kodos
Why, what happens in 2012?
Some ISPs already won't let you connect to port 25 on any server that isn't theirs (forcing you to relay outgoing mail through them), ostensibly to prevent zombies from sending spam. The ones that monetize NXDOMAIN could easily do the same for DNS. All they'd need is some flimsy pretext, and maybe not even that.
Couldn't the Split Tunnel still be used, but all lookups are resolved via the company's DNS? You may resolve 'Pron' names, etc. but you would not be carrying the traffic for them.
V for Vendetta: People should not be afraid of their governments. Governments should be afraid of their people.
If I understand correctly, the problem arises because the road staff's TCP/IP connection is receiving the DNS server info automatically from whatever connection they are using. If you set up the clients to use a preferred DNS server as something like OpenDNS, available from anywhere, and your secondary DNS server as the internal IP address of your local LAN's DNS server, you should get the effect you want. When your users are on the road, they will use OpenDNS. When they are back in the office, the requests for local names will go to OpenDNS and fail, and then be directed to the local DNS server.
The first thing your secure VPN tunnel should be doing is altering the client's DNS profile to only use the DNS servers on the other side of the tunnel. Anything else is totally insecure.
Most network interface configurations allow you to specify a DNS server for that specific connection. I use both OpenVPN2 and Cisco IPSec clients on Windows and Linux. In both cases, the virtual adapters/interfaces used by these clients can have their own DNS server configured. It is only used when the adapter/interface is connected.
Place your own DNS server on the internet outside of your DMZ. Then just point your VPN people to those DNS servers manually.
As to what happens when they return to work, if we are talking about laptops and you have docking station then you can used a docked and undocked profile that could switch them back and forth. Otherwise just give them a icon to click on when they are having issues that manually sets the DNS back and forth. Itâ(TM)s extra training but a easy work around.
I have to tell you that I am not sure why this is a problem for you honestly. VPN should setup a tunnel for your users connecting so once they resolve the name of the VPN servers to connect to they no longer use external DNS at all. If your problem is that they keep you from resolving the name of your VPN servers correctly then just hardcode in the IP into the client.
Hope this helpsâ¦.
When I had Time Warner, their opt-out link only worked in IE. Maybe that's why the opt-out link isn't working?
My ISP recently started pulling this crap.
In response, I installed bind9 and resolvconf to get data directly from the authoritative name servers.
It's the old adage "If you want something done right, do it yourself"
This is in fact why NXDomain breaks things in the way the poster describes, however, unless you're the kind of employer who wants to see EVERYTHING your subordinates are doing it's not actually the best practice to filter everything through the VPN.
Filtering everything through their VPN increases overall costs in bandwidth and hardware as Intron indicated. These are very real, very costly expenses that many employers overlook when implementing broad policies... and it's a fantastic point you raised that all too many companies forget.
Why should my connection to slashdot.org, for example, be secure on the company VPN? My ssh and nfs connections have very real reasons to be secure however!! On the other hand you could fix this by filtering DNS traffic through the VPN, but not web traffic. The cost of DNS traffic is marginal comparatively to other services, but the benefit for companies facing these specific issues is obvious.
What you are describing is one part of a general problem. When users are moving around using different networks, various tweaks to the network settings on the computer are often needed. A user-oriented tool to switch networks is needed. Some notebooks (e.g. Thinkpads) already come with such a tool. Otherwise, NetSwitcher is about US$20 a copy. Someone technical sets appropriate settings for each location the user visits. Subsequently, the user just calls up the configuration for 'Home', 'Office', 'Cust-X', 'Airport' or wherever.
What I've done in a situation like this is configure two Netsh batch scripts. The first configures the NIC for office use. The second configures the NIC to use DHCP and Level 3's public DNS Servers, 4.2.2.1 and 4.2.2.2. More info about setting up netsh scripts can be located at: http://www.petri.co.il/configure_tcp_ip_from_cmd.htm
then find out what IP adresses the portal has, like so:
dig +short www.this-isp-sucks-by-nxdomain-hijacking-oh-leve-me-alone.com
and put that address into dnsmasq.conf like so:
bogus-nxdomain=66.150.2.179
bogus-nxdomain=67.63.55.1
dnsmasq will return NXDOMAIN if a response contains these addesses
I do not think your ssh connection needs to tunneled through a VPN at all. Ssh is a secure way to transmit and recieve information without a VPN. I suppose you could use a VPN with ssh, but it seems redundant. NFS is another matter, though.
Every vpn setup I've had...locks down all network connections, and all ..through the vpn connection only while it is connected. Indeed all traffic goes through it.
This is just the security measures they have had...they do not want to risk having machines connected into their networks, that are simultaneously connected to other networks or the internet...I kinda figured most any setup would want that level of security if they were going to the trouble of setting up a vpn connection.
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
I had this problem as well with my VPN connection. It turns out the Cisco soft VPN was just another "interface". The DNS requests would go out to the regular ISP interface first and they used to error, so it would use the DNS on the VPN second which worked. When they no longer returned error, but rather a fake page, I lost the DNS on my VPN. The trick is to make the ORDER of interface access such that the VPN connection is first: Click on network Connections Click on advanced Click on advanced settings Move your VPN connection to the top of the list. TADAAAAAA
Not all systems that a technician might SSH into are visible from the outside world. Sometimes, VPN gets you more than just encryption. It gets you visibility to far more systems than those on the Internet get to see.
Sue them for false advertising. They're offering internet access, but since they don't follow the RFCs, what they're providing isn't really the internet.
i recommend running a dns cache at almost every apex of the network, especially where faster stuff (lan) meets slower stuff (cable/dsl), on each individual host if need be.
most dns caches are default configured to query the root name servers. this will seem to fix your problem immediately but is a bad thing. if every home user was querying the root servers we would quickly see the internet slow to a crawl or the cost of operating it rise to the point that some all-powerful govt would have to swoop in to "save the day" by taking over control. make sure you do configure your dns cache to query the isp's dns servers (integrating said software with your dhcp autoconfiguration is beyond the scope of this comment)
this hijacking of NXDomain is such a prevalent problem that most dns caching software has either a configuration option or a highly revered patch to remap the response of a certain A record into a nxdomain response. here is the recommended patch for djbdns (aka tinydns suite) http://tinydns.org/djbdns-1.05-ignoreip2.patch
in a very small isp this might make it impossible to get to their own home page or support page while this is enabled, if they are virtual hosts on the same webserver thats providing the nxdomain redirection "service". at most isps this wont be an issue
HOWEVER, if this annoying "service" from your isp is _anything_at_all_ more than just a nuisance, (ie. it causes hosts on your vpn to be unreachable) then you have worse problems and you are actually lucky it brought them to the surface.
SSH tunnels get around that without difficulty. If you know the address, it's as simple as assigning local port 2222 to 10.1.0.100:22 and you can now SSH to that machine by connecting to localhost:2222. Get a SOCKS capable SSH client, and you don't need to set up the tunnel for each connection.
That's not limited to small ISPs. Verizon FiOS, for example:
"Oh, sure, we will let you opt out - just click on the link that shows your router"
BROKEN LINK
Hmmm, guess I will click on a similar router...
THEY ARE ALL BAD LINKS
Gee, I guess I will click on the "change OS settings" link then...
BAD LINK
Somebody's going to point out that you can Google and find where helpful geeks have posted the instructions to opt-out without Verizon's assistance. But that's not the point, really, is it? Verizon had working opt-out links exactly long enough to get a favorable review in Consumer Reports, and then it all mysteriously broke. I cannot explain this coincidence, personally, you will have to come to your own conclusions.
Umm, just have people in your company specify your own DNS servers, or the ones from openDNS or anything else. Why couldn't you solve this easy easy problem w/o asking slashdot?
There is a bit of a cruddy issue with Windows and the way it deals with DNS servers provided by VPNs
If your LAN connection DNS servers are on the same subnet as the LAN connection itself, as is the case with most home networks, then for some inexplicable reason, Windows queries the LAN-provided DNS before the VPN-provided DNS servers despite whether the VPN is configured for split tunnels or not.
It's been documented, reported to MS and nothing has happened about fixing it.
Trying to become famous by taking photos. Visit my homepage please.
Some systems (e.g. PCI DSS controlled systems) are forbidden to be directly exposed in that sort of manner - in which case a VPN with two factor authentication would be required.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
Set it up for authentication such that only your VPN users can access it externally, then manually tell them to use it for all their internet traffic. It isn't hard to specify what DNS servers to use. I'm sure some privacy concerns would be raised but they can always use their ISP's DNS server for non-work related activities. Or instead of using a hostname to connect to the VPN server, use an IP.
2 cents
I noticed this same thing from Suddenlink, I was being redirected when I input an invalid address in the url bar. I knew what it was after some searching. I ran Wireshark to verify what was going on. I also verified I was not using their DNS servers. I have my own DNS servers locally and with one of my leased servers. I also ran the same test with the server at 4.2.2.5 and they redirected me. When I emailed them I received this response [quote] Thank you for your inquiry. Suddenlink is committed to providing the best customer service possible. The Suddenlink search page can only automatically redirect you if you're using Suddenlink's DNS servers at the time of the incident. You state you're not using our DNS servers. Please note that it's impossible to get redirected to the search page on DNS servers other than Suddenlink's, due to the nature of the redirect and the fact that it's done by the DNS server. I notice you're using a Cisco/Linksys router. Please check your manually configured DNS settings on both your router and your computer to be sure you are using the DNS servers that you want to be using. We hope that we have been able to provide you with the information you requested. If we have not, or if we can be of any additional service to you, please do not hesitate to contact us again. Did you know that you can speak with a live agent without picking up the phone? It's Easy! Simply Click on the link below and let us assist you with your general or account specific questions. We are available 24 hours a day, 7 days a week for your convenience. http://www.suddenlink.com/chat.do Thank you for choosing Suddenlink Communications "Easy as counting to one." [/quote] So according to them it is impossible. Even though it is happening. I just blocked their address space and moved on. I know better than to deal with their customer support after they told me I couldn't pull down an address because they no longer used gateways. I asked if they were on pfm modules, which they replied yes. pfm = pure freaking magic.
Why would they want to use full tunnels?
It provides a false sense of security and encourages abuse for the end user to legitimately reach their local network services (printers, etc.).
The VPN is for talking to remote resources on a particular network (or set of networks).
Requests for resources on the local network on other networks should go through the users normal gateway.
The ISP is out of spec. They must either correct their problem or lose business.
The London Olympic opening ceremony is going to be so embarrassingly, cringe-inducingly awful that the kinetic energy involved in hundreds of millions of folks turning away from the TV screen to gag, all at the same time, is going to shift the Earth off its axis and send the planet plummeting into the Sun.
The Mayans predicted it apparently.
OMG!!! Ponies!!!
This is true, the huge power spike from the simultanious turning off of all these TVs could be some what catastrophic as well.
Blazing Spiders
You should configure your VPN client-software to update the /etc/resolv.conf (or Windows equivalent) to use your internal DNS server routed through the VPN. No need to route all external network traffic through your VPN though.
Over-the-top Response Guy! Giving "Over-the-Top Responses" since 1970.
http://thekelleys.org.uk/dnsmasq/doc.html .mycompany.com will go directly to your internal dns server. ;-)
You can fix the nxdomain stuff in dnsmasq config.
And you can configure it to use certain dns server for specified domains so for instance everything with
Since it is also doing DNS caching as a bonus your subsequent dns queries will be faster.
Also you can give it hosts files with advert server domain names so you can block ads at dns level too.
Also, it can act as DHCP server and use DHCP lease information for DNS resolving in local network.
win-win-win-win
In the case of the router vulnerability, this is something that you can control on the corporate side of things by simply not accepting packets down the VPN tunnel that don't come from the IP address that's the far endpoint of that tunnel. I'm not a VPN expert, but I would be surprised if this isn't how your VPN is configured by default.
You can also filter packets on the receiving end of the VPN. That's how I configured our firewall at work. The VPN tunnel simply looks like another network interface to our firewall, so I apply a slightly less restrictive set of rules to that connection than I do to the default external interface. Giving someone keys to your network just because they are an authenticated VPN user is not a very good idea.
My main complaint with DNS tampering is the outright DNS hijacking that Sprint does with their AirCard (EVDO) service. You can't even query a different DNS server-- your packets are intercepted and redirected to Sprint's own DNS. Unfortunately, their records are often out-of-date as it appears that they also manipulate TTLs to keep the churn down on their servers. It's a real problem when you're relying on something like an AirCard for doing things like network penetration testing.
1) You have something misconfigured if it's causing an issue.
2) It's a small ISP in a cutthroat market, they need the additional revenue stream.
dnsmasq, avalable in most distrobutions, is a light weight dns server that you can tell the ips of bogus NXDomain sends and will turn them back to what they should be. You can also point your computers to level3's free dns service at 4.2.2.3 4.2.2.4 4.2.2.5 4.2.2.6
if you really want to use split tunnel, just push the internal corporate dns to all vpn clients. it's not harder than that. I know for a fact that openvpn/cisco-ipsec/pptp can do this.
Lots of misunderstandings in the replies. First - the most common offender is the Hotel's local internet service. Second - this is about DNS, not routing. Windows tries all the DNS servers at once and believes the first positive answer. The DNS servers in the story are the onces the Hotel gave you on the real interface, and the ones VPN gave you on the VPN interface. You can often make this go away by using the advanced settings in the network folder to order the VPN adapter first as a service provider. Failing that, I know of no solution that doesn't require messing with the DNS server entries in the real adapter.
Provided that your internal dns zone is a subdomain of your external dns zone, just make it world reachable. IMVHO the days where 'hiding' your internal DNS zone adds any security are long gone - any external attacker who is in a position to make use of this information can already get it anyway.
nsswitch.conf:
hosts: files dns
Put your stuff in /etc/hosts. Done.
Seems simple enough to me.
Then all you get from 'random ISP used by roaming user' is the raw connectivity, and you ignore their DNS entirely.
In fact, when the vpn is up, it could use your main office's internal DNS server as a fallback.
ssh is already secure, and it is redundant to ssh via a vpn. In fact it would make more sense to run the vpn via an ssh tunnel.
As far as nfs, good lord man you arent seriously trying to run nfs mounts over remote Internet connections?
A previous employer I worked for had the VPN set to access the IP address of the VPN server. Never had a problem until they switched IP addresses and I didn't see the message.
If your VPN clients are searching external DNS servers first, then it sounds like there's a configuration issue on the client side.
Every VPN software I've used (Windows PPTP, Cisco AnyConnect, Cisco VPN Client, vpnc, pptp linux) sets the machine to query the DNS servers on the private network *before* whatever I have configured. DNS isn't difficult.
NXDomain redirection is something which will only occur more and more, with companies like Nominum pushing products to do this. It's not a bad thing either, from a customer experience point of view... I'd much rather see something saying "Oops, you typed 'googgle.com' and I don't recognise that... did you mean google.com?", even if it had some advertisements too.
If the internal hosts are all static (at least the important ones, like servers) then just create a standard listing of hostname->IP and store it in the hosts file of the remote machines. Those machines have to install/config the VPN client at some point anyway, why not tack on appending a list of hosts to that procedure?
As far as nfs, good lord man you arent seriously trying to run nfs mounts over remote Internet connections?
Depends on whether it is NFSv4 (or later). Earlier versions are resource-hungry and insecure, and you'd better off with CIFS or AFS than NFSv3 or earlier. (I don't know v4 well enough to discuss its suitability for non-VPN WAN use.)
"Little does he know, but there is no 'I' in 'Idiot'!"
I was dealing with a similar problem (being an employee, connecting to my company's VPN). /etc/resolv.conf: /etc/bind/named.conf:
But I did not want to route all my DNS traffic through the VPN to the company DNS servers, because I am part of a community network that has a fake TLD set up on our own DNS servers -- using my company's DNS servers would prevent me from using this TLD. My solution -- run a copy of bind locally, with the following config:
nameserver 127.0.0.1
options {
forwarders {
my_regular_DNS_servers_IP_address;
};
forward only;
};
zone "mycompany.tld" {
type forward;
forwarders {my_companys_DNS_server_internal_IP_address;};
};
This way, only requests to mycompany.tld go to my company's DNS servers, the rest goes to my regular DNS server, allowing me to access both, my company's split-horizon DNS and my network's fake TLD.
Even before my now-previous ISP started to hijack NXDOMAIN responses I ran my own recursor feeding off of the root servers because the ISP's were flaky and unreliable. I'm not paying them to look at their ads, I'm paying them to provide me bandwidth.
This still shouldn't be done lightly and not for just the single user because the root servers are a shared resource, but it does save you from invasive silly games ISPs like to play to further monetize you, the customer. I find it telling, but not surprising, that very few ISP customers actually speak up against the practice.
How about a good old fashioned hosts file for internal names. If your machine names are changing frequently you can update it with a login script. Besides that, set up your own DNS server and have them hit that. Fighting with the ISP is a fruitless exercise. I don't think they are going to change the whole thing just for you, but I think it's good that you posted this because if more and more admins just refuse to use the ISP's DNS maybe they will stop. Taken to the extreme, if more and more home users get too many unwanted ads, then this will be good for third party dns servers that charge a small fee.
I don't know that I would leave that hole open in my VPN configuration, but have you tried using OpenDNS (http://www.opendns.com/)? I don't know if it'll work in your situation or not, but I hardcode it vs. picking up the automatically assigned ISP's DNS and it works great. It doesn't have the problems with the redirection for advertisement when an incorrect URL is entered. In fact, that's one of my primary reasons for using it. Give it a try. Their site will give you the two IP addresses you need to use them, and best of all... it's free.
And how do you get your ssh connection to 10.1.0.100, without connecting through the VPN in the first place? That's an rfc1918 internal IP address. It's not routable on the internet.
And even if it was, your connection would still stop at the corporate firewall.
We wrote a little app that runs on startup on our laptops. It basically does an IPConfig /all to a txt file, then parses that looking for our internal domain(s). If it doesn't find it, it sets up things one way. If it does find it, it sets them up another way. In our case, we used it to set the proxy and the speed/duplex on the network cards. But I'm sure you could use it to set different DNS servers.
Hope this helps,
TD
I worked for an ISP that provided service to hotels. VPN configs were the major source of problems. We implemented a captive portal to try to smooth over issues like
SMTP rejection (SMTP-AUTH was not common, the portal provided silent redirect to local mail server)
Accountability/Abuse -- The rooms were hard-wired, and captive portal gave us some retroactive sense of what room was generating abusive traffic.
Splash-screen/terms-of-service
DNS redirection is one of the core techniques for establishing captive portals. I rather doubt that many smaller ISPs are doing the "sponsored link" DNS redirect. Maybe things have changed since I left, but I suspect there is no significant benefit and some real cost involved for sponsored redirects for all but the largest ISPs.
Most of the support calls were over VPN software. Since all traffic was redirected until the splash screen was agreed to, a small but significant segment of VPN client configs broke. I very much suspect that is the real source of the initial posters issues.
That problem with that "level of security" is that it is not. If you are afraid of routing between the interfaces, turn off routing, use non-routable (rfc1918) adresses, or block traffic at the firewall from ip-adresses that aren't vpn adresses.
On the other hand, if you are worried about the PC being hijacked, best case is that preventing the PC from being on both networks at the same time adds a small delay. The infection will happen with the internet connection active, and it will spread when the vpn is active. However, as you should know if you do anything with security, once the PC is compromised, you can't trust *anything*. Including the VPN client. The attacker can change it do send the traffic wherever he wants. That's why it's called "owned". He's the "owner" of the machine now, not you.
It is possible (as other commentators have noted) to split your traffic between the VPN to work and your regular connection to the internet.
However, this means that instead of trusting you to keep your machine secure, your employer is trusting everyone you can connect to. Many moons ago, a supplier to two competing banks found out he'd exposed one bank to the other, and earned a life-threatening lawsuit in the process (;-))
If your employer has no sensitive information on the network you can VPN into, a split tunnel is a good idea. If they have confidential information on the network, it's a poor one, and if they have information shared with customers or connections to customers, it's a company-ending one.
In principle, you could use Mandatory Access Control rules in SE Linux to protect against this: I've done exactly that using Trusted Solaris, at the expense of a huge chunk of effort but it's out of the question in a Windows shop.
--dave
davecb@spamcop.net
He could switch to OpenDNS...er...never mind....
$ cat /etc/resolv.conf
nameserver 208.67.222.222
nameserver 208.67.220.220
$ host opendnssucksabigone.com
opendnssucksabigone.com has address 208.69.32.132
Host opendnssucksabigone.com not found: 3(NXDOMAIN)
$ host 208.69.32.132
132.32.69.208.in-addr.arpa domain name pointer hit-nxdomain.opendns.com.
Whoops!
OpenDNS and the ISPs that use them always f*cks up my shell sessions when I mistype a hostname, since it goes straight to their server and instead of receiving a SERVFAIL or NXDOMAIN.
Alternative? Run your own DNS cache/resolver
Any decent VPN software will have the ability to auto-configure the DNS server settings once the VPN link is up. Just have clients use your internal DNS server over the VPN.
Note that contrary to what other posters are saying, it's not necessary to tunnel all your traffic over the VPN. Just make sure DNS requests go over it.
Put a hosts file on your workers systems. Done.
And stop advertising or using outside DNS for your internal network. That's like putting a map in your yard to where you keep all of your valuables in your house.
"Smile, listen, agree, and then do whatever the fuck you wanted to do anyway." ~Robert Downey Jr.
Get a SOCKS capable SSH client, and you don't need to set up the tunnel for each connection.
No but now you need to
a) hope your applications support SOCKS (for instance Opera doesn't do this)
b) configure your applications accordingly
Just sayin'.
8 of 13 people found this answer helpful. Did you?
use ip address instead of Domains or go for OpenDNS.
the vpn-connected pc will then use the dns-server provided inside your intranet...
the only bad thing is that you cant access your local network at home (or where ever you are) so network drives and printers are temporarely unavailable...