[PATCH] write CISCO_SPLIT_INC in order
bugfood-ml at fatooh.org
Tue Aug 1 09:27:56 PDT 2017
On 2017-07-24 11:22, Corey Hickey wrote:
> On 2017-07-21 19:57, Kevin Cernekee wrote:
>> This patch seems to treat "split DNS domains" as a synonym for
>> "default DNS search domains." I am not sure if this is the right
>> thing to do. Split tunneling is intended to let you send traffic and
>> DNS lookups intended for (say) internal corporate hosts over the VPN,
>> while sending other all other traffic and DNS lookups to the public
>> In particular, you probably would not want to use split DNS in
>> conjunction with full tunnel routing.
> If CISCO_SPLIT_DNS is not the right environment variable for this, then
> is there a better one? Or should I provide a new one?
> My perspective in this is only from the client side. I don't have
> experience administrating VPN hardware, so my knowledge of their
> capabilities comes from documentation I can find and questions I can
> ask. I found a nice diagram of split DNS:
> Ironically, I just learned that is the term for what I've been doing on
> my home network for years, so I understand the nuances a bit better now.
> I can see the utility in being able to have separate lists:
> * one list of default search domains
> * one list of domains to be sent to the VPN's DNS servers
> For example, the various .in-addr.arpa domains of a private network
> would make sense to be included in split DNS but would have no reason to
> be in the search list.
> Right now, I'm trying to improve support for GlobalProtect (Daniel's
> fork). I don't know if the GlobalProtect gateway can provide a list of
> split-DNS domains; currently, it gives me a list like:
> I've asked our VPN administrator to see if GlobalProtect has any concept
> of split DNS. Meanwhile, though, I want to make DNS search work for
> GlobalProtect without breaking anything else. Under previous VPN setups,
> I've seen vpnc-script get multiple domains as a space-separated list,
> but I got the impression this worked by accident rather than by design.
> $ grep CISCO_DEF_DOMAIN vpnc-script | head -n 1
> #* CISCO_DEF_DOMAIN -- default domain name
> Please let me know if you have guidance on how best to proceed.
Sorry to pester, but do any of you had a chance to look at this?
More information about the openconnect-devel