Re: vpnc and determining correct routes



On Mon, 2006-10-23 at 12:14 -0400, Derek Atkins wrote:
> Dan Williams <dcbw redhat com> writes:
> 
> > The next problem is split DNS; do people care about that?  Ideally we
> > only query the VPN nameservers for names in a certain domain (passed
> > vpnc as CISCO_DEF_DOMAIN).  Sometimes though, admins don't push the
> > default domain and you have to manually fill it in for a split network
> > setup.  But that requires using named as a local caching nameserver,
> > which people, for some inconceivable reason, are very vocally against.
> > So right now all DNS queries go over the VPN.
> 
> That's not true.  SplitDNS works just fine in 0.6; the problem
> is that vpnc doesn't pass the "additional DNS options" out, and
> NM can't override it, so there's no way to add "additional"
> SplitDNS domains to the configuration.

Ok; maybe it does work, but I was under the strong impression that we
would have to do more to support this in a non-hackish manner.  AFAIK
the code blows away the current named configuration (if you're using a
caching nameserver) and writes the VPn configuration in wholesale, so
you loose your local network DNS config.

What's supposed to happen is:

1) NM gets the local DNS information (server, searches) from DHCP
2) NM gets the VPN DNS information (server, searches) from the VPN
server/concentrator
3) NM sends the "default" zone to named with the local DNS information
4) NM sends an "overlay" zone to named which specifies that the VPN dns
server is supposed to be used for each zone from the VPN searches list

The overlay stuff was never implemented in NM, and split DNS certainly
doesn't work with the glibc resolver unless I'm gravely mistaken,
because the glibc resolver doesn't have a rich enough /etc/resolv.conf
format nor the code to support different DNS servers for specific
searches.

In the end, what we _should_ be allowed to do, is to route *.redhat.com
over the Red Hat VPN server-provided nameserver, and everything else to
my local DHCP-provided nameserver.

Dan

> > So basically, we have to modify the user interface to:
> >
> > - Add a "Never route these over VPN" entry
> > - Add an "Override default domain name" entry
> > - Modify the vpnc service daemon to push split networks to NM
> > - Make NM do split DNS if requested
> 
> This latter already seems to happen...
> 
> > This stuff won't get into 0.6.4, but I'd certainly accept patches for
> > 0.7/HEAD.  If I could find time to work on it in between dbus-ifying
> > wpa_supplicant, the new config framework, and multiple active devices,
> > I'd take a look at it :)
> >
> > Dan
> 
> -derek
> 




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]