[clug-talk] VPN name resolution question
wcn00 at shaw.ca
Wed Apr 8 07:12:40 PDT 2009
I have this exact problem. I use several machines in my home network to
do my job (primarily down the vpn) but my family also have computers and
do "their" thing. It would be silly to use name servers thousands of
miles away for them, and those dns servers wouldn't even resolve
important names like our local ISP's POP server. So here's what I do:
-set up a linux box to be my firewall.
-run the vpn client on the firewall such that all machines in my home
network can route through it.
-set up a forwarding dns server on the firewall such that requests for
my work domain are satisfied by servers down the vpn tunnel; queries for
the WWW use my ISP's servers, and my local addresses are served by the
dns server on the firewall.
-set up a dhcp server on the linux firewall such that local machines are
dynamically registered in dns.
This works great and if people are really interested I can share my
Things I haven't done (cause I'm lazy):
-set up two pools of dhcp addresses such that only my "work" machines
get addresses from a designated subnet.
-set up routing tables so that only machines from my "work" subnet are
routable down the tunnel.
That would protect my employer's network from all the trojans and
virus's that my kids bring home on their windoze boxes.
There are several great firewall dists fro linux but I just use fc9 with
shorewall for now. My logs show that for 18 hrs of most days somone is
trying to get in and noone ever has...
> Royce's question regarding name resolution triggered a neuron for me...
> When I establish a VPN connection to a remote network, I need name
> resolution to work for servers there. At the moment the only way to
> do this seems to be to change my /etc/resolv.conf file to use their
> nameserver. But that means that all name requests are now going
> through their network - even for things that have nothing to do with
> their network.
> I have set up a script to establish the VPN connection, backup my
> resolv.conf file and replace it with one that has the remote name
> server. But there's probably a better way.
> Any tips?
> clug-talk mailing list
> clug-talk at clug.ca
> Mailing List Guidelines (http://clug.ca/ml_guidelines.php)
> **Please remove these lines when replying
More information about the clug-talk