VPN and DNS

Published on 2014-12-12

The problem

Note

TLDR

With split-view DNS and VPN it makes your web browsing and what not slower due to slower DNS resolution. This is a “solution” mainly for Linux and OSX.

When connecting to a VPN, usually, it’s going to push it’s own DNS name servers. It does this because many, or dare I say most networks behind the VPN actually have hostnames that are “internal” and will only resolve on the internal name server. This situation is also called “split-view DNS”.

The internal name server also resolves public hostnames - but because of the VPN round-trip this is slower. In some cases, it can be much slower (for example if your company’s VPN is in the USA and you live in Europe... hint).

dnsmasq to the rescue

dnsmasq is a well-known DNS caching server, DHCP, TFTP, PXE (and recently even RA) server. You can configure it so that requests for certain domains are resolved with a specific name-server.

For example, you would want to forward all internal domains to the DNS name server that is provided by the VPN:

File: /etc/resolv.conf

nameserver 127.0.0.1

File: /etc/resolv2.conf

#Your local/ISP nameserver(s)
nameserver 192.168.0.1
nameserver 8.8.8.8

File: /etc/dnsmasq.conf

server=/private.scl3.mozilla.com/10.0.0.1
server=/private.phx1.mozilla.com/10.0.0.1

resolv-file=/etc/resolv2.conf

Note

In this example, *.scl3.mozilla.com will resolve through the name server at 10.0.0.1

If you use openresolv (if you don’t know, you probably do...) you’ll have to instruct it to always use your local DNS cache (dnsmasq) as well so that it doesn’t override your settings.

File: /etc/resolvconf.conf

#Optional, if you use openresolv
name_servers=127.0.0.1

And off you go! Don’t forget to restart dnsmasq ;)

systemctl restart dnsmasq
# or..
/etc/init.d/dnsmasq restart
blog comments powered by Disqus