On Thu, 1 Oct 2020 07:37:11 +0100 Mark Rogers mark@more-solutions.co.uk allegedly wrote:
On Wed, 30 Sep 2020 at 19:33, mick mbm@rlogin.net wrote:
Why do you not want your DNS queries to go over the VPN? Surely that is /exactly/ what you /should/ want? Certainly I always do. Anything else is a leak and a potential privacy nightmare.
Why would I not want all of the DNS queries which have nothing to do with my office network to go via the VPN for the sake of one or maybe two that need to go that way?
Latency. And, frankly, privacy.
The VPN is over a relatively slow ADSL link. If I had reason to want to keep my DNS queries private then there are far better options (including use of a VPN service that doesn't operate over a slow link to my office). There are lots of uses for a VPN, and one of them is to keep your network activities private but another largely independent one is gaining secure access to another network, and it's the latter usage I'm employing here.
But the idea that I should necessarily trust the VPN provider with my privacy is flawed anyway: if I'm accessing a customer's VPN then sending all my DNS requests via their DNS potentially exposes a lot of commercially sensitive information, for example you could probably glean quite a lot about who my other clients are by looking at the sites I access; as far as I am concerned *nothing* unrelated to that customer should cross the VPN to their network, quite apart from performance issues that result from it. If you consider that DNS content has any privacy implications then you surely cannot also say consider that this content should be made to any and all VPN provider you may have reason to access. (A few customers have VPNs configured such that all network traffic *must* go through the VPN once established; for those we inevitably set up a virtual machine to protect our own security and that of our other clients.)
And a third issue: how does your solution work if I have reason to access two VPNs simultaneously? (Something I do quite often: accessing a customer VPN to support their systems whilst accessing my office VPN for the resources to do so, although to date I have not needed to access resources on the customer VPN by hostname so DNS hasn't been an issue.)
If you are inside your network, then the internal DNS will correctly resolve the addreses and you can reach the servers. If you are /outside/ the network, then by definition you cannot reach the internal servers unless you use the VPN, and if you are using the VPN, what is the problem with using the internal DNS?
Happy to use the internal DNS, via the VPN, for queries relating *only* to domains hosted there. Is that possible with DNS? In this case I'd even accept deferring any unresolved queries to the VPN's DNS, although I'd be reluctant to do so on a general basis and again I'm not aware of this being possible.
I'm sorry, perhaps I'm not understanding something here, but I really don't get this at all. If your colleagues are inside the office, then they use the same DNS you do, if they are outside, then they could not possibly reach the internal servers anyway (unless they too use a VPN) so what is the point of them having DNS entries on their routers (or entries on the external DNS server) pointing to the internal servers? And if they /do/ use VPNs. then again the internal DNS would resolve things correctly for them.
They could be inside or outside the office, but when outside yes via VPN. And I have no reason to require all my colleagues DNS queries going via the office DNS - if they want to visit bigandbusty-dot-com from their home computer while connected to the office VPN is it really any of my employer's business?
The *only* traffic that should be traversing this VPN is traffic that *needs* to traverse this VPN. That might not be the case with every VPN - plenty of VPNs exist precisely so that all traffic should go through them - but that isn't the only scenario in which VPNs are used (and it's not the scenario in which I am using one here).
I have deliberately left the entire earlier discussion above so that later readers can follow it.
As I said, "I'm sorry, perhaps I'm not understanding something here, but I really don't get this at all." Clearly I was missing something or misunderstanding your case.
It appears that I was wrong to assume that your use case as stated:
"The use case is that inside my office they resolve via local DNS, but outside the office I may connect to them via VPN. Since I don't want to redirect all my DNS queries across the VPN, the external DNS solves this problem."
was the /only/ use case. You now say that both you, and colleagues use VPNs to connect not only to the office network (which presumably you control, or otherwise trust) but customer premises, sometimes at the same time. I had also assumed that you would be using /your own/ VPN and not one provided by a third party (or worse, the customer). Again that appears not to be the case because you don't trust the VPN.
That muddies things. Worse it can muddy routing if your customer happens to use the same internal RFC1918 addresses as do you in your office.
Sure, you should not trust a third party not to snoop your DNS queries (I care so much about that that I now actually encrypt all my DNS queries using DNS over TLS) but my assumption (given your stated use case) was that all your DNS queries could happily go over your office VPN. Not so it seems.
And whilst it is your choice I admit, personally I would be /very/ bothered if anyone connecting to my protected network were using a desktop which was also used to browse "bigandbusty-dot-com" (or any other such sites). The potential for them to be malware ridden is obvious. Don't your customers care?
Whatever, you seem to have solved your original problem with openwrt, so the discussion is now somewhat moot.
Mick
--------------------------------------------------------------------- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 https://baldric.net/about-trivia ---------------------------------------------------------------------