Tag Archives: openvpn

DNS Conditional Forwarding – dnsmasq

Why would I want to use Conditional Forwarding?

In my case, my local dns server has entries for local hostnames such as m2n.ion.lan, mongo.ion.lan, and tux.ion.lan. If I am using the vpn dns, then these address lookups would fail. By using Conditional Forwarding I can do all lookups locally, except for ones that match the remote top level domain (example.local). Anything that matches example.local would be forwarded to the remote dns server.

Problem:

  1. Connect to remote vpn server and use local DNS server
  2. Ping server.remote.local (remote FQDN) – fail
  3. Ping server.ion.lan (local FQDN) – success

Of course the remote ping fails because the local DNS server knows nothing about the remote domain. If I was to configure my machine to use the remote DNS server the opposite would happen. I would be able to ping server.remote.local, but a ping to server.ion.lan would fail.

Solution: Use dnsmasq with conditional forwarding to forward *.work.local requests to the remote dns server.

1. Install dnsmasq using your local package manager

2. Edit /etc/dnsmasq.conf

# Tells dnsmasq to forward anything with the domain of remote.local to dns server 10.25.11.2
server=/remote.local/10.25.11.2

# Listen to requests only coming from the local machine
listen-address=127.0.0.1

# Do not cache anything
# A decent dns server will already cache for your local network
cache-size=0

3. Edit /etc/resolv.conf

# Local LAN Domain
domain ion.lan

# local dnsmasq server
nameserver 127.0.0.1

# Your main dns server (dnsmasq will forward all requests to this server)
nameserver 10.20.1.1

4. Start dnsmasq

5. Test – ping a local server and remote server using the FQDN

All dns requests will be forwarded to 10.20.1.1 except any matching *.remote.local. server.remote.local will be forwarded to 10.25.11.2

OpenVPN Client – DNS Script

The OpenVPN server can pass DNS servers and a domain name to the client. This gives the benefit of using the remote dns servers for local hostname lookups.

Finding a good script that worked to do this provide difficult…

In server.conf add:

push "dhcp-option DOMAIN ion.lan"
push "dhcp-option DNS 10.25.11.2"

Then save this script on the client in same location as the client config

#!/bin/bash

case "$1" in
    up)
	    mv /etc/resolv.conf /etc/resolv.conf.bak

		echo "# Generated by OpenVPN Client UP Script" > /etc/resolv.conf
		for opt in ${!foreign_option_*};
		do
	        echo ${!opt} | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /etc/resolv.conf
        done
        ;;
    down)
        mv /etc/resolv.conf.bak /etc/resolv.conf
        ;;
    *)
        echo "Pass either UP or DOWN"
        ;;
esac

In the client.conf add

script-security 2

up "./vpn_dns_update.sh up"
down "./vpn_dns_update.sh down"

Now connect and check /etc/resolv.conf to see if the VPN nameserver and domain is listed.