On 2017-07-24 11:22, Corey Hickey wrote: > On 2017-07-21 19:57, Kevin Cernekee wrote: >>> https://github.com/bugfood/vpnc-scripts/commit/19b0357349f3cede6d93245d8373be4ef7239866 >> >> This patch seems to treat "split DNS domains" as a synonym for >> "default DNS search domains." I am not sure if this is the right >> thing to do. Split tunneling is intended to let you send traffic and >> DNS lookups intended for (say) internal corporate hosts over the VPN, >> while sending other all other traffic and DNS lookups to the public >> internet. >> >> In particular, you probably would not want to use split DNS in >> conjunction with full tunnel routing. > > If CISCO_SPLIT_DNS is not the right environment variable for this, then > is there a better one? Or should I provide a new one? > > My perspective in this is only from the client side. I don't have > experience administrating VPN hardware, so my knowledge of their > capabilities comes from documentation I can find and questions I can > ask. I found a nice diagram of split DNS: > > http://www.cisco.com/c/en/us/td/docs/ios/12_4t/12_4t11/htspldns.html#wp1555066 > > Ironically, I just learned that is the term for what I've been doing on > my home network for years, so I understand the nuances a bit better now. > > I can see the utility in being able to have separate lists: > * one list of default search domains > * one list of domains to be sent to the VPN's DNS servers > > For example, the various .in-addr.arpa domains of a private network > would make sense to be included in split DNS but would have no reason to > be in the search list. > > Right now, I'm trying to improve support for GlobalProtect (Daniel's > fork). I don't know if the GlobalProtect gateway can provide a list of > split-DNS domains; currently, it gives me a list like: > > <dns-suffix> > <member>example.com</member> > <member>example.org</member> > <member>example.net</member> > </dns-suffix> > > > I've asked our VPN administrator to see if GlobalProtect has any concept > of split DNS. Meanwhile, though, I want to make DNS search work for > GlobalProtect without breaking anything else. Under previous VPN setups, > I've seen vpnc-script get multiple domains as a space-separated list, > but I got the impression this worked by accident rather than by design. > > $ grep CISCO_DEF_DOMAIN vpnc-script | head -n 1 > #* CISCO_DEF_DOMAIN -- default domain name > > Please let me know if you have guidance on how best to proceed. Sorry to pester, but do any of you had a chance to look at this? Thanks, Corey
