On Wed, 30 Sep 2020 at 19:33, mick mbm@rlogin.net wrote:
Why do you not want your DNS queries to go over the VPN? Surely that is /exactly/ what you /should/ want? Certainly I always do. Anything else is a leak and a potential privacy nightmare.
Why would I not want all of the DNS queries which have nothing to do with my office network to go via the VPN for the sake of one or maybe two that need to go that way?
Latency. And, frankly, privacy.
The VPN is over a relatively slow ADSL link. If I had reason to want to keep my DNS queries private then there are far better options (including use of a VPN service that doesn't operate over a slow link to my office). There are lots of uses for a VPN, and one of them is to keep your network activities private but another largely independent one is gaining secure access to another network, and it's the latter usage I'm employing here.
But the idea that I should necessarily trust the VPN provider with my privacy is flawed anyway: if I'm accessing a customer's VPN then sending all my DNS requests via their DNS potentially exposes a lot of commercially sensitive information, for example you could probably glean quite a lot about who my other clients are by looking at the sites I access; as far as I am concerned *nothing* unrelated to that customer should cross the VPN to their network, quite apart from performance issues that result from it. If you consider that DNS content has any privacy implications then you surely cannot also say consider that this content should be made to any and all VPN provider you may have reason to access. (A few customers have VPNs configured such that all network traffic *must* go through the VPN once established; for those we inevitably set up a virtual machine to protect our own security and that of our other clients.)
And a third issue: how does your solution work if I have reason to access two VPNs simultaneously? (Something I do quite often: accessing a customer VPN to support their systems whilst accessing my office VPN for the resources to do so, although to date I have not needed to access resources on the customer VPN by hostname so DNS hasn't been an issue.)
If you are inside your network, then the internal DNS will correctly resolve the addreses and you can reach the servers. If you are /outside/ the network, then by definition you cannot reach the internal servers unless you use the VPN, and if you are using the VPN, what is the problem with using the internal DNS?
Happy to use the internal DNS, via the VPN, for queries relating *only* to domains hosted there. Is that possible with DNS? In this case I'd even accept deferring any unresolved queries to the VPN's DNS, although I'd be reluctant to do so on a general basis and again I'm not aware of this being possible.
I'm sorry, perhaps I'm not understanding something here, but I really don't get this at all. If your colleagues are inside the office, then they use the same DNS you do, if they are outside, then they could not possibly reach the internal servers anyway (unless they too use a VPN) so what is the point of them having DNS entries on their routers (or entries on the external DNS server) pointing to the internal servers? And if they /do/ use VPNs. then again the internal DNS would resolve things correctly for them.
They could be inside or outside the office, but when outside yes via VPN. And I have no reason to require all my colleagues DNS queries going via the office DNS - if they want to visit bigandbusty-dot-com from their home computer while connected to the office VPN is it really any of my employer's business?
The *only* traffic that should be traversing this VPN is traffic that *needs* to traverse this VPN. That might not be the case with every VPN - plenty of VPNs exist precisely so that all traffic should go through them - but that isn't the only scenario in which VPNs are used (and it's not the scenario in which I am using one here).