At 12:04 PM -0400 9/28/07, Joe Abley wrote:
On 28-Sep-2007, at 1136, Paul Hoffman wrote:
It is not "obvious", at least to some of the people I have spoken
with. It is also not obvious to VPN vendors; otherwise, they would
have easy-to-use settings to make it happen.
I'm surprised by that comment.
I think it's a common use case that organisations who deploy VPNs
have split DNS; that is, namespaces available through internal
network resolvers that do not appear in the global namespace. In my
experience, it is normal for:
- VPN client software to use IP addresses rather than names to
establish a secure tunnel with the home network
- Local resolver settings on the VPN client's machine to be
re-written to use internal home network nameservers while the VPN
session is active
That's completely true for remote users who are already using a VPN.
In that case, there is no reason for the organization to have a
recursive resolver facing outwards.
What was being discussed was setting up a VPN just for getting DNS
resolution, not for access to other internal resources. IPsec can be
used to create a tunnel to just a single resource if the organization
wants the external user to access that resource only.
--Paul Hoffman, Director
--VPN Consortium
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf