[PATCH] write CISCO_SPLIT_INC in order

Corey Hickey bugfood-ml at fatooh.org
Mon Jul 24 11:22:40 PDT 2017 

On 2017-07-21 19:57, Kevin Cernekee wrote:
>> https://github.com/bugfood/vpnc-scripts/commit/19b0357349f3cede6d93245d8373be4ef7239866
>
> This patch seems to treat "split DNS domains" as a synonym for
> "default DNS search domains."  I am not sure if this is the right
> thing to do.  Split tunneling is intended to let you send traffic and
> DNS lookups intended for (say) internal corporate hosts over the VPN,
> while sending other all other traffic and DNS lookups to the public
> internet.
>
> In particular, you probably would not want to use split DNS in
> conjunction with full tunnel routing.

If CISCO_SPLIT_DNS is not the right environment variable for this, then 
is there a better one? Or should I provide a new one?

My perspective in this is only from the client side. I don't have 
experience administrating VPN hardware, so my knowledge of their 
capabilities comes from documentation I can find and questions I can 
ask. I found a nice diagram of split DNS:

http://www.cisco.com/c/en/us/td/docs/ios/12_4t/12_4t11/htspldns.html#wp1555066

Ironically, I just learned that is the term for what I've been doing on 
my home network for years, so I understand the nuances a bit better now.

I can see the utility in being able to have separate lists:
* one list of default search domains
* one list of domains to be sent to the VPN's DNS servers

For example, the various .in-addr.arpa domains of a private network 
would make sense to be included in split DNS but would have no reason to 
be in the search list.

Right now, I'm trying to improve support for GlobalProtect (Daniel's 
fork). I don't know if the GlobalProtect gateway can provide a list of 
split-DNS domains; currently, it gives me a list like:

<dns-suffix>
     <member>example.com</member>
     <member>example.org</member>
     <member>example.net</member>
</dns-suffix>


I've asked our VPN administrator to see if GlobalProtect has any concept 
of split DNS. Meanwhile, though, I want to make DNS search work for 
GlobalProtect without breaking anything else. Under previous VPN setups, 
I've seen vpnc-script get multiple domains as a space-separated list, 
but I got the impression this worked by accident rather than by design.

$ grep CISCO_DEF_DOMAIN vpnc-script | head -n 1
#* CISCO_DEF_DOMAIN             -- default domain name

Please let me know if you have guidance on how best to proceed.

Thanks,
Corey

More information about the openconnect-devel mailing list