On 28-Sep-2007, at 1136, Paul Hoffman wrote:
> It is not "obvious", at least to some of the people I have spoken > with. It is also not obvious to VPN vendors; otherwise, they would > have easy-to-use settings to make it happen.
I'm surprised by that comment.
I'm not. As it happens I've used three different VPN services in the past few years and I will soon be forced to switch to a fourth. In each case the IT folks managed to jury-rig things so that DNS queries got redirected, but I've been told in some cases it required quite a bit of effort. And it is also my understanding that requiring this significantly limited our our options in choosing VPN solutions.
I think it's a common use case that organisations who deploy VPNs have split DNS; that is, namespaces available through internal network resolvers that do not appear in the global namespace.
Yes, we have this in spades at Sun. Can't say it works all that well, but this is really a separate issue.
In my experience, it is normal for:
- VPN client software to use IP addresses rather than names to establish a secure tunnel with the home network
I'm sure this is done, but I think it is more common to use DNS entries. You have to validate the server's certificate or whatever anyway, so all direct use of IP address does is limit certain denial of service attacks but at the cost of a significant loss in flexibility.
- Local resolver settings on the VPN client's machine to be re- written to use internal home network nameservers while the VPN session is active
Yeah, that's what the client ends up doing. I don't know the specifics of how this has been implemented in the various clients I've had to use, but it has tended to be quite fragile - on numerous occasions things have failed in such a way that my DNS settings were completely trashed and I had to go in and reset them manually. I eventually wrote a little script I can run to force things back to where they're supposed to be with a single command. Perhaps if this the need for this were called out more specifically more attention would be paid to making this work well.
This is certainly how the cisco VPN client supplied to me by my employer (and the subsequent versions I've downloaded directly from cisco) work, for example. I was under the impression that cisco had fairly significant market share in this area.
Since I don't really know who or what's responsible for the many problems I've seen with this I'm not going to provide specifics regarding the clients I've used. However, I will say that I think you've had a fair bit of luck here.
This is not to say that the topic doesn't deserve mention in the draft at hand. However, your logic in the last sentence above seems suspect to me.
FWIW, I am in full support of Paul and John's position here. Ned _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf