[PATCH] write CISCO_SPLIT_INC in order
Corey Hickey
bugfood-ml at fatooh.org
Tue Aug 1 09:27:56 PDT 2017
On 2017-07-24 11:22, Corey Hickey wrote:
> On 2017-07-21 19:57, Kevin Cernekee wrote:
>>> https://github.com/bugfood/vpnc-scripts/commit/19b0357349f3cede6d93245d8373be4ef7239866
>>
>> This patch seems to treat "split DNS domains" as a synonym for
>> "default DNS search domains." I am not sure if this is the right
>> thing to do. Split tunneling is intended to let you send traffic and
>> DNS lookups intended for (say) internal corporate hosts over the VPN,
>> while sending other all other traffic and DNS lookups to the public
>> internet.
>>
>> In particular, you probably would not want to use split DNS in
>> conjunction with full tunnel routing.
>
> If CISCO_SPLIT_DNS is not the right environment variable for this, then
> is there a better one? Or should I provide a new one?
>
> My perspective in this is only from the client side. I don't have
> experience administrating VPN hardware, so my knowledge of their
> capabilities comes from documentation I can find and questions I can
> ask. I found a nice diagram of split DNS:
>
> http://www.cisco.com/c/en/us/td/docs/ios/12_4t/12_4t11/htspldns.html#wp1555066
>
> Ironically, I just learned that is the term for what I've been doing on
> my home network for years, so I understand the nuances a bit better now.
>
> I can see the utility in being able to have separate lists:
> * one list of default search domains
> * one list of domains to be sent to the VPN's DNS servers
>
> For example, the various .in-addr.arpa domains of a private network
> would make sense to be included in split DNS but would have no reason to
> be in the search list.
>
> Right now, I'm trying to improve support for GlobalProtect (Daniel's
> fork). I don't know if the GlobalProtect gateway can provide a list of
> split-DNS domains; currently, it gives me a list like:
>
> <dns-suffix>
> <member>example.com</member>
> <member>example.org</member>
> <member>example.net</member>
> </dns-suffix>
>
>
> I've asked our VPN administrator to see if GlobalProtect has any concept
> of split DNS. Meanwhile, though, I want to make DNS search work for
> GlobalProtect without breaking anything else. Under previous VPN setups,
> I've seen vpnc-script get multiple domains as a space-separated list,
> but I got the impression this worked by accident rather than by design.
>
> $ grep CISCO_DEF_DOMAIN vpnc-script | head -n 1
> #* CISCO_DEF_DOMAIN -- default domain name
>
> Please let me know if you have guidance on how best to proceed.
Sorry to pester, but do any of you had a chance to look at this?
Thanks,
Corey
More information about the openconnect-devel
mailing list