[dns-operations] Split view autoconfiguration

Paul Wouters pwouters at redhat.com
Thu Nov 12 14:01:45 UTC 2020 

On Nov 12, 2020, at 07:59, Petr Menšík <pemensik at redhat.com> wrote:
> 
> Hello DNS experts, Hi Paul,
> 
> I am looking for correct way to autoconfigure split DNS. By that, I mean
> something that dnssec-trigger prepares, when I connect to our enterprise
> VPN. It keeps most of queries to original connection servers provided.

That is exactly what RFC 8598 does for IKEv2/IPsec. This is supported by libreswan and supports a local unbound. For the next version of libreswan we will add support for NM. systemd-resolved, knot, resolvconf (Debian)

I submitted build for openvpn with unbound support but those changes got lost over time.

> But for special internal domains, it redirects queries on local running
> unbound server to addresses provided by VPN connection. Similar way
> behaves systemd-resolved and dnsmasq configured by Network Manager.

I don’t quite understand what you are saying here?

> I think they use DHCP option 119 [1], which was originally used for
> different thing. It is already used and can be used as a hint. But its
> purpose is to search relative names. I found only explicit configuration
> for IKEv2 [2], which provides required information.

DHCP options are only useful for non-VPN connections. There has been talk about putting the RFC 8598 options into a dhcp option but people connecting to enterprise  wired/wireless don’t have a split dns normally. Either you (have to) trust the network or you fully distrust it (and want dot/doh to an external party)


> Am I missing standard way to pass internal domains on VPN connections
> for different types? Is there any best practice or recommendation how to
> configure it in general?

openvpn surely has something but as I said, patches were lost. WireGuard will invent something homegrown once they have their userland daemon (WG-dynamic). 

We can’t really standardize openvpn/WireGuard. 

> Is it so uncommon to have split horizon setup with internal connection?
> I hope I don't know just correct terminology, could you help with that?
> Is there DHCP option 119 alternative, which means list of internal
> domains without additional search hints? Is there other way to configure it?

For IETF standard VPN protocol, we have the solution, and it is implemented. I can give you a certificate for VPN.nohats.ca to test.

Note it does do fallback to re-using the list of dns domains as search domains in resolv.conf if it doesn’t find a locally running dns server. 

Paul

More information about the dns-operations mailing list