Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Dealing With ISPs That Use NXDomain Redirection?

timothy posted more than 5 years ago | from the looking-at-you-charter dept.

The Internet 264

Vrtigo1 writes "I work for a small company that has about 50 staff on the road relying on VPN back to our office at any given time. Many ISPs have implemented NXDomain redirection services that hijack DNS traffic to show you sponsored links and other related ads when you mistype a domain name. These services are incompatible with most VPN software, since they prevent the computer from resolving internal hostnames. Large ISPs typically provide an opt-out on their sponsored links page that immediately opts you out of the DNS redirection, but I've noticed that some smaller ISPs and CLECs have opt-out links that don't actually appear to do anything. I don't have a good solution for employees using these ISPs, and our employees are getting frustrated because the problem is becoming more prevalent and we can't fix it for them. I've tried calling a few of these smaller ISPs for help, but it's been like talking to a wall. Manually changing DNS servers works temporarily, but the user can't resolve internal hostnames when they connect to the office LAN again. Have you had to deal with ISPs using non-standard DNS servers? What is your solution?"

cancel ×

264 comments

A Good Old Fashioned Holocaust (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#27941173)

I find that when I come in contact with Jews like the ISPs you describe the best thing to do is build yourself a good old fashioned gas chamber.

Nothing like some WW2 era "Justice Gas" to put Jews in their place.

Re:A Good Old Fashioned Holocaust (0)

Anonymous Coward | more than 5 years ago | (#27941815)

When everybody dies in 2012 at least I'll be happy assholes like you will be dying too.

Re:A Good Old Fashioned Holocaust (0)

Anonymous Coward | more than 5 years ago | (#27942309)

Why, what happens in 2012?

This is an easy one. (4, Insightful)

snarfies (115214) | more than 5 years ago | (#27941189)

If the small local ISP is screwing up, and refuses to respond in any useful way despite your best repeated efforts, it sounds like its time to take your business elsewhere, maybe to one of those large ISPs you mentioned. And make sure you tell them WHY. Who know, maybe the threat alone will be enough to get them to make a sudden change in policy for you, with a month or two of free service to boot.

Re:This is an easy one. (4, Insightful)

internerdj (1319281) | more than 5 years ago | (#27941299)

This guy sounds like a manager or IT worker who is having problems with his employees connecting to the work VPN. He isn't the one paying the bill(directly at least), so he doesn't even have the clout of a paying customer...

could someone explain what the issue is here? (5, Informative)

goombah99 (560566) | more than 5 years ago | (#27942029)

This guy sounds like a manager or IT worker who is having problems with his employees connecting to the work VPN.

it sounds more like he has not stated the problem correctly.

how is it possible that a VPN connection is doing DNS to an external name server? Should not every internet request flow over the vpn from the client to the server. once it reaches the internal vpn server the server should know how to route the internal addresses and for external addresses it could use an external domain name server. the problem described seems like it should not exist. what am I missing?

Re:could someone explain what the issue is here? (1)

cayenne8 (626475) | more than 5 years ago | (#27942247)

"how is it possible that a VPN connection is doing DNS to an external name server? Should not every internet request flow over the vpn from the client to the server. once it reaches the internal vpn server the server should know how to route the internal addresses and for external addresses it could use an external domain name server. the problem described seems like it should not exist. what am I missing?"

Thank you, that is what confused the hell out of me too when I read it.

When I VPN somewhere...I don't see the outside world directly from my box anymore...all is redirected to the internal site/servers I am vpn'ing into. I kinda assumed that was the point and practice with vpn software...?

Re:could someone explain what the issue is here? (4, Insightful)

omnichad (1198475) | more than 5 years ago | (#27942249)

Unless it's set to send ALL traffic over the VPN, you have to resolve the hostname in order to decide if the DNS name is on the VPN or on the Internet.

Even if all traffic goes down the VPN wire, it's probably making those requests to the same DNS servers OVER the VPN. Bust since it's still the same DNS servers, it still gets the same results.

The IT guy would have to intercept all DNS requests over the VPN and proxy them to his own DNS server. That's not a bad answer. Too bad I'm buried in the middle of this thread.

Re:could someone explain what the issue is here? (1)

hal9000(jr) (316943) | more than 5 years ago | (#27942513)

Luckily, it isn't that busy a thread.

The IT guy would have to intercept all DNS requests over the VPN and proxy them to his own DNS server. That's not a bad answer. Too bad I'm buried in the middle of this thread.

You're right. If the VPN is set-up to send all traffic over the tunnel, then the host *should* resolve using the company DNS servers. If the VPN is set-up for split tunneling, then the DNS will goto the ISP DNS. However, few VPN clients have the option to capture all DNS requests.

The solution is to put your internal server records in your public DNS or modify the hosts file.

Re:could someone explain what the issue is here? (2, Insightful)

omnichad (1198475) | more than 5 years ago | (#27942655)

Putting your internal server records in public DNS is a security risk, since it exposes details of the internal network layout. I guess the best answer is to use any reliable DNS server out on the Internet that *doesn't* mangle its results. 4.2.2.1 or another major ISP's DNS servers.

Re:could someone explain what the issue is here? (1)

TooMuchToDo (882796) | more than 5 years ago | (#27942753)

There was a thread on NANOG a day or two ago talking about Level3 is starting to ACL off 4.2.2.1 off from the world except downstream transit customers. I would recommend against using that DNS server, and look at someone like OpenDNS.

Re:could someone explain what the issue is here? (3, Informative)

omnichad (1198475) | more than 5 years ago | (#27942787)

OpenDNS has NXDOMAIN redirects too. You'd have to work only from static IP addresses that are configured with an OpenDNS Account.

Re:could someone explain what the issue is here? (1)

TooMuchToDo (882796) | more than 5 years ago | (#27942939)

Most home users have static or static-like (Comcast, for example, ties the DHCP IP to your MAC address) addresses. Other option is to run your own recursive server on the company network and provide that DNS IP to your users.

Re:could someone explain what the issue is here? (1)

mr_mischief (456295) | more than 5 years ago | (#27942303)

Some VPNs only route traffic meant for certain destinations through the VPN as one network interface and allow traffic to the public Internet use the actual established connection. Further, it sounds as if he's placing DNS servers for the VPN-connected network in the adapter confirguration in addition to any DNS servers that were assigned by DHCP or PPoE from the ISP.

This setup will work if the client machine sees failures from the ISP's DNS then checks the VPN's configured DNS, but it will still always create traffic to the ISP's DNS. If the ISP redirects all unknown domains, then it won't work because the client will have received a valid IP address from the DNS query.

What needs to be done is for the VPN's DNS to be the only DNS the client machine uses whenever it is connected to the VPN, even if the other traffic meant for the public Internet isn't tunneled through the VPN.

Re:could someone explain what the issue is here? (4, Insightful)

pthisis (27352) | more than 5 years ago | (#27942667)

Some VPNs only route traffic meant for certain destinations through the VPN as one network interface and allow traffic to the public Internet use the actual established connection.

They should be checking the internal DNS servers first (which should not promulgate requests up to public servers), and then the public servers.

Doing in the other order sends internal information (server names) over the public network.

Re:This is an easy one. (0)

Anonymous Coward | more than 5 years ago | (#27941453)

If the small local ISP is screwing up, and refuses to respond in any useful way despite your best repeated efforts, it sounds like its time to take your business elsewhere, maybe to one of those large ISPs you mentioned. And make sure you tell them WHY. Who know, maybe the threat alone will be enough to get them to make a sudden change in policy for you, with a month or two of free service to boot.

Congrats on being clueless. The ISP is not going to process internal DNS requests. This is simply a question missing information or a mis-configured VPN.

Re:This is an easy one. (1)

Z00L00K (682162) | more than 5 years ago | (#27941541)

Good luck in finding an ISP that doesn't screw up the DNS in some way.

Re:This is an easy one. (5, Insightful)

TheLink (130905) | more than 5 years ago | (#27941669)

Actually, the VPN config is insecure (screwed up?) - when you are using the VPN the DNS requests should be going through the VPN tunnel, and not in plaintext to the ISP.

Re:This is an easy one. (2, Informative)

hey (83763) | more than 5 years ago | (#27942291)

Good point. They should thank the ISP for this alert.

Re:This is an easy one. (1)

RollingThunder (88952) | more than 5 years ago | (#27942663)

Exactly. When I connect (using Checkpoint, but most other VPN software will do it as well) it changes the resolver configs on my system so that now I'm using the internal company DNS.

If his VPN solution doesn't offer this to him, he needs to get one that does.

Re:This is an easy one. (4, Informative)

IceCreamGuy (904648) | more than 5 years ago | (#27942943)

You are referring to what is known as "Split Tunneling;" which is a legitimate, albeit less secure, VPN configuration. Basically when split tunneling is enabled the client workstation's default gateway is still it's local gateway and DNS requests get routed by the client to the appropriate DNS server, whereas in a non-split tunnel the default gateway is the remote gateway (which obviously has no way of routing to the local network) and all DNS requests go encrypted through that. There are several reasons someone would want to do this:
  • You need people to access their local printers/network resources and don't have some kind of pass-through ability
  • You have limited bandwidth at your remote site and cannot handle the Internet usage that would be NATed through
  • Your gateway does not support NAT on VPN tunnels and your clients need Internet access
  • You don't realize what you're doing

Either way, what I do when I have some kind of weird situation where a user needs to change their TCP/IP config routinely is just put a couple shortcuts with pretty icons on their desktop that point to batch scripts that run a netsh script. You should be able to completely change an IP configuration on a Windows box with this utility, the user just runs "home.bat" when they're home and then "office.bat" when in the office. A Google for "netsh exec" should give enough info to get started.

Provide your own DNS? (5, Informative)

QuantumRiff (120817) | more than 5 years ago | (#27941191)

Last time I setup a VPN, was with a Cisco PIX firewall, (its been awhile) but there was a spot to specify which DNS servers to use when connected to the VPN. I had specified that when connected, they would use our DNS, since they otherwise couldn't resolve \\file-server\share or whatever..

Use the IP Address (0)

Anonymous Coward | more than 5 years ago | (#27941213)

Enough Said

Re:Provide your own DNS? (5, Informative)

nine-times (778537) | more than 5 years ago | (#27941337)

Yeah, honestly I'm a little confused by the question. If you want to use DNS to connect to internal servers via VPN, then don't you want to route your DNS traffic through the tunnel to use internal DNS servers? And once you're doing that, how could the ISP possibly hijack that DNS traffic? It's encrypted.

Re:Provide your own DNS? (5, Insightful)

Bandman (86149) | more than 5 years ago | (#27941427)

You're right. It all boils down to misconfigured VPN

Mod parents up (4, Funny)

adolf (21054) | more than 5 years ago | (#27941521)

Mod parents up, please.

And then we can all go home. This is an easy problem to solve once you see it from the right angle, and that angle is described above.

Re:Provide your own DNS? (1)

flajann (658201) | more than 5 years ago | (#27942317)

Yeah, honestly I'm a little confused by the question. If you want to use DNS to connect to internal servers via VPN, then don't you want to route your DNS traffic through the tunnel to use internal DNS servers? And once you're doing that, how could the ISP possibly hijack that DNS traffic? It's encrypted.

It may be that the list of DNSes for the computer to check starts with ISP DNS first, then if that fails it next tries the VPN's DNS.

Of course, if the ISP is hijacking lookups instead of letting them fail, that's going to screw everything up.

Verizon and FairPoint does this. Alas, there's no other option I know of that can beat the fibre-optics to the last mile. But at least the aformentioned provides an opt-out DNS server to use. Good luck getting it out of their tech support, as you will spend 10-15 minutes just explaining what the problem is. They are CLUELESS to the max.

Ah, but this is the same company that can't tell the difference between .002 dollars and .002 cents....

Re:Provide your own DNS? (1)

pthisis (27352) | more than 5 years ago | (#27942721)

It may be that the list of DNSes for the computer to check starts with ISP DNS first, then if that fails it next tries the VPN's DNS.

That's a misconfiguration. You can't route any internal traffic outside of the VPN. You're publicizing internal server names if you set it up that way.

Re:Provide your own DNS? (1)

Punknubbins (768822) | more than 5 years ago | (#27943029)

Our VPN is set up as a realy, so our clients get handed DHCP leases with the DNS server and domain information included from an interal server. But occasionally we see a client who's machine will not honor the DNS servers given out by DHCP. So we us an internal subdomain (i.ourdomain.com) with all of the internal hosts listed there (like private.i.ourdomain.com). The NS record for the i.ourdomain.com subdomain points to an internal IP address so a user can only resolve internal hosts when connected to the VPN. So when a user tries to connect to an internal server across the vpn, DNS client follows the path (root servers->DNS server for ourdomain.com -> DNS server for i.ourdomain.com) to our internal dns server and then receives the correct internal IP address for the server. If they are not connected to to the VPN then they can't get resolution off of our internal servers and the lookup fails. This prevents us from having to publish internal DNS globally for clients that don't respect our DHCP load.

Open DNS?? (0)

Anonymous Coward | more than 5 years ago | (#27941193)

Have you tried Open DNS, I have used it for years with great results. If you are actually signed in and not just using there DNS server entries in TCP it miiiiiiiight get you around your problem.

Re:Open DNS?? (1)

omnichad (1198475) | more than 5 years ago | (#27942289)

They have their own NXDomain pages. So you have to sign up for a login account in order to disable that feature. And then when you're mobile on a laptop, your dynamic ip address will cause you constant headaches.

Re:Open DNS?? (0, Redundant)

Volante3192 (953645) | more than 5 years ago | (#27942549)

OpenDNS also redirects google searches to their own site. www.google.com was broken for me until I took OpenDNS out of my list.

What I'd love is my own DNS Server but I can't find one free for XP anywhere...

Re:Open DNS?? (1)

tagno25 (1518033) | more than 5 years ago | (#27942809)

Try named via Cygwin if you must use Windows.

4.2.2.1 (0)

Anonymous Coward | more than 5 years ago | (#27941197)

That is all.

Re:4.2.2.1 (2, Insightful)

afidel (530433) | more than 5 years ago | (#27941717)

Level 3's resolvers were VERY slow earlier this week, to the point where our IDS system noticed it. I've generally been glad to use them when an ISP screws up their DNS but it IS a free service and you can't expect great performance from it for that reason.

Re:4.2.2.1 (1)

sokoban (142301) | more than 5 years ago | (#27942681)

Yep, I have been having troubles with L3's DNS for about a week and a half now.

As a result, I'm back on insightbb's crappy, crappy DNS.

Re:4.2.2.1 (1)

TooMuchToDo (882796) | more than 5 years ago | (#27942879)

Level3 is in the process of ACLing off 4.2.2.1 from the world so only downstream transit customers can use it. Google the Outages mailing list for more info.

Re:4.2.2.1 (2, Interesting)

TooMuchToDo (882796) | more than 5 years ago | (#27942791)

Level3 is in the process of ACLing off 4.2.2.1 from the world so only downstream transit customers can use it. Google the Outages mailing list.

Change VPN settings . . . (5, Insightful)

val123456 (141284) | more than 5 years ago | (#27941203)

to force use of internal DNS servers while connected.

Done.

Re:Change VPN settings . . . (2, Insightful)

KevMar (471257) | more than 5 years ago | (#27941253)

I guess I did not know there was an option not to use the internal servers.

Our unit has its own domain and dns servers. The zone does get replicated to the central dns servers, but we have to use the Fully Qualified Domain Name of our servers when on computers outside our unit.

Have the users try the full name of the server and see if that helps.

Re:Change VPN settings . . . (1)

Endloser (1170279) | more than 5 years ago | (#27941361)

I second that motion. If you still have issues, you can set up shares by IP address and leave a nice little shortcut on your end-loser's desktop. "\\IP\share" should go in the location part of the shortcut (for Major$haft losers).

Re:Change VPN settings . . . (2, Insightful)

Vrtigo1 (1303147) | more than 5 years ago | (#27941853)

We do configure internal DNS servers on the VPN profile (obviously), but we also split-tunnel since we don't want to push all traffic over the VPN (only traffic destined for the internal LAN). If you do an ipconfig/all, it lists both the ISP and internal DNS servers. Normally this works fine because the ISP's DNS server will return an invalid hostname response and the client will query the internal DNS server.

Use Full Tunnels (5, Informative)

Bandman (86149) | more than 5 years ago | (#27941207)

If you're splitting your connection between a VPN tunnel and a non-VPN protected internet connection, you're a security risk to your infrastructure.

Have your administrator configure full tunnel support where ALL of your traffic goes through the encrypted tunnel. That solves a security problem AND it fixes your DNS problem because you don't use your local internet provider's DNS servers.

Re:Use Full Tunnels (5, Informative)

L0stm4n (322418) | more than 5 years ago | (#27941271)

This is called split tunneling. If he disables split tunneling and specifies the DNS servers in the VPN config his problems would go away.

His users however would tunnel all their traffic through the corporate lan while connected so you may need to setup some kind of filtering or route the traffic through whatever filters you already have. Otherwise these remote workers in hotel rooms will be pulling buckets-o-pr0n through your corp network.

Re:Use Full Tunnels (2, Informative)

Bandman (86149) | more than 5 years ago | (#27941297)

But that's only a problem when they're connected to the VPN. Don't surf porn while on the VPN, don't get fired. Win/Win

Just disconnect to download your porn and you're good.

Re:Use Full Tunnels (1)

HomelessInLaJolla (1026842) | more than 5 years ago | (#27942037)

Not that this would ever really happen, but...

What if you're at home using a take-home work laptop to connect to the VPN and using a seperate home computer which you own privately to surf pr0n? Especially with the prevalence of wireless broadcast within a home--what prevents your employer from sniffing all of your private home traffic? If you have gone so far as to keep the pr0n system on a hard line (most take-home work laptops have wireless NICs so, even if the work laptop is technically on the hard line, the wireless NIC could still be available for sniffing), how many and what kinds of packets are sent out in broadcast? I used to watch tcpdump, ethereal, and others quite often and, even on hardwired connections, it was usually somewhat easy to see from one system when another system was surfing pr0n if they were connected to the same in home router. If wireless was being used then, well, you might as well have a repeater.

Do you trust your employer not to sniff all the packets it can? Do you trust that the take-home work laptop doesn't log and save particular packets or headers even when not attached to the VPN and then transmit a saved log when you connect to your work VPN? Maybe for smaller employers this might not be much of an issue but for anyone working in a gargantuan corporate entity--who knows what lurks beneath your windows processes?

Heck, now that the Linux OS has become so enormous, who knows what lurks even on usual Linux systems?

Re:Use Full Tunnels (1)

Bandman (86149) | more than 5 years ago | (#27942597)

Assuming you have a VPN client (or are using an SSL VPN which is "Clientless" (big lie)) then only that computer's traffic is sent over the VPN.

If, on the other hand, you have a VPN device that you plug in in front of (or behind) your broadband router, all of your connection's traffic will be going to the VPN. That's just as (if not more) insecure as a partial tunnel.

Re:Use Full Tunnels (0)

Anonymous Coward | more than 5 years ago | (#27941357)

It'll also likely cut the connection speed in half and make any interactive server-run apps unusable due to latency. (been there, done that)

Re:Use Full Tunnels (1)

Bandman (86149) | more than 5 years ago | (#27941441)

Actually, it shouldn't slow down the internal stuff at all, since it was going over the same link as before. His internet browsing will go a lot slower, but he can disconnect from the VPN for personal browsing.

Re:Use Full Tunnels (1)

TheLink (130905) | more than 5 years ago | (#27941989)

"His users however would tunnel all their traffic through the corporate lan while connected"

This is not a problem. This is how it should be.

VPN = Virtual Private Network.

It's not private if your traffic leaks out to somewhere else.

When you use your office VPN, you should use it for work related stuff only. If you want to do personal stuff (e.g. download non-work-related porn, MP3s), don't use the office VPN.

Re:Use Full Tunnels (1)

Capt.DrumkenBum (1173011) | more than 5 years ago | (#27942577)

How do you tell the difference between work related and non work related porn?

Re:Use Full Tunnels (1)

jobugeek (466084) | more than 5 years ago | (#27941321)

This is true and I every time I set up of a VPN for someone I mention this. That said, for many people, they are likely VPN'd in order to access certain files while needing access to the internet. Browsing through most company VPN connections is painfully slow and inefficient.

Re:Use Full Tunnels (1)

Reece400 (584378) | more than 5 years ago | (#27942343)

OTOH while slow, their internet traffic is then filtered/scanned by AV(if applicable) as it would be when they are in the office.

Re:Use Full Tunnels (1)

jobugeek (466084) | more than 5 years ago | (#27942623)

Yes, but one would hope that any company allowing said laptop to connect to their company VPN has local policies/software in order to minimize the infection risk. Yes, split tunneling is a larger security risk, but those risks can be mitigated.

Re:Use Full Tunnels (2, Insightful)

oolon (43347) | more than 5 years ago | (#27941381)

The down side of this is people cannot use their local printers/file servers. I find it really annoying having to reverse tunnel out of corporate VPNs to get access to my local systems. Clearly as others have said any VPN client should change the DNS settings to use the internal DNS before any external one, I didn't know some didn't.

Re:Use Full Tunnels (1)

Bandman (86149) | more than 5 years ago | (#27941465)

That's true, but with a "secure" VPN connection, not being able to use local resources would be considered a plus.

Of course, "secure" is always a sliding scale.

Re:Use Full Tunnels (1)

oolon (43347) | more than 5 years ago | (#27941749)

The Cisco VPN client implements a full tunnel mode rather well, however I did notice the one thing it didn't block was "DHCP" broadcasts, I wrote a proof of concept to see if I could signal over it, I was intending to write a full tunnel, but ended up finding it easier to virtualise the laptop, then tunnel over a serial connection to escape from the jail.

Re:Use Full Tunnels (1)

netcrusher88 (743318) | more than 5 years ago | (#27942573)

Split tunneling is a pretty trivial risk. Your typical home computer doesn't do forwarding (not to mention nothing would know how to route) and if the box is a zombie, it's a zombie - not talking to the C&C servers directly instead of via the corpnet isn't going to impair the bot software.

Split tunneling has nothing to do with the DNS issue. Configuring internal DNS servers is 100% solid if not essential advice for any VPN.

story tag... (0)

Anonymous Coward | more than 5 years ago | (#27941225)

Go to hell story tag. Fucking burn. I hate you.

Sincerely, AC

Split-horizon DNS (3, Informative)

Dishwasha (125561) | more than 5 years ago | (#27941227)

Re:Split-horizon DNS (1)

stickytar (96286) | more than 5 years ago | (#27941729)

Mod parent up. This is the solution. You should not be relying on external DNS to resolve internal IP assets.

OpenDNS? (0)

Anonymous Coward | more than 5 years ago | (#27941231)

www.opendns.com

Doesn't OpenDNS also use NXDomain Redir? (1)

JSBiff (87824) | more than 5 years ago | (#27941529)

It's been awhile since I looked at OpenDNS, so maybe I'm mis-remembering, but I could swear that OpenDNS's business model is based around generating ad revenue from doing NXDomain redirection, isn't it? If that's the case, swapping one NXDomain redirect for another doesn't seem very productive.

Re:Doesn't OpenDNS also use NXDomain Redir? (0)

Anonymous Coward | more than 5 years ago | (#27941757)

Yes, but I think it only does that on Google searches. I may be wrong about what sites it affects, but that's why I stopped using it at home.

About certain ISPs (0)

Anonymous Coward | more than 5 years ago | (#27941245)

Cablevision was going to use NX DNS redirection but stopped because sometimes it interfered with businesses intranet. When he had it for its brief life- we had options to have it enabled or disabled.

Fixed this problems for our windows users (0)

Anonymous Coward | more than 5 years ago | (#27941249)

We had this exact problem for our Windows users. The solution was to force Windows to use our internal DNS server first when connected to the VPN. We accomplished this with a custom program that changed some registry and system values. Unfortunately I do not have the list of changes -- that was a lifetime ago.

Easiest solution: Get them to change ISP. (1)

Nick Ives (317) | more than 5 years ago | (#27941263)

Failing that...

Why does manually changing DNS servers work only temporarily? Can't you just host a DNS server and give your employees the IP for that? It'd mean having to service DNS requests for all your employees private internet usage plus it might break some CDNs but it seems like the simplest solution.

You could also loan employees suitable ADSL / cable routers that you configure, something with a decent small DNS server in it that you can configure to serve your intranet hostnames but defer to the users ISP for internet hosts. Obviously that's expensive though.

Re:Easiest solution: Get them to change ISP. (1)

Neil Hodges (960909) | more than 5 years ago | (#27941317)

Failing that...

Why does manually changing DNS servers work only temporarily

Perhaps that's the reason cron exists: to make sure your DNS servers are reset to your preference despite DHCP mangling them.

Re:Easiest solution: Get them to change ISP. (1)

Bandman (86149) | more than 5 years ago | (#27941347)

The DNS thing is really just a symptom of the actual problem, that his VPN is misconfigured.

You shouldn't be allowed to be directly connected to the internet at the same time you're directly connected to your VPN. It's exactly the same security risk as if he had a personal DSL line installed at his desk and was on both networks. If his machine is compromised, it can be spread to other trusted (or maybe if he's lucky, only semitrusted) machines.

Full tunnels for the VPN will solve the problems.

Re:Easiest solution: Get them to change ISP. (1)

gd2shoe (747932) | more than 5 years ago | (#27942113)

You shouldn't be allowed to be directly connected to the internet at the same time you're directly connected to your VPN. It's exactly the same security risk as if he had a personal DSL line installed at his desk and was on both networks. If his machine is compromised, it can be spread to other trusted (or maybe if he's lucky, only semitrusted) machines.

Full tunnels for the VPN will solve the problems.

I see a whole bunch of people posting this, and I have to tell you that you're trading one security risk for another*.

Yes, it's currently the same as having a connection to both networks at the same workstation.

Forcing all employee traffic through the VPN is not a security solution, but much more akin to the laptop problem. They can be infected/compromised all day long while connected directly through the ISP (visiting "bad" sites, downloading malware infected freeware, whatever). Once connected to the VPN, all that bad stuff suddenly has access.

Yes, this is a lesser risk. It prevents real-time attacks. Still, the potential consequences are equal. Don't fool yourselves into thinking that this is a security fix. It's not.

(*presupposing that they are permitted to use the computer on their normal Internet connection while not "at work". You didn't say that explicitly, but others here have. We have no indication that these are work provided computers and work supplied Internet connections, so it is a reasonable assumption that these machines will go online directly.)

Cat got your tongue? (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#27941265)

I eat poop.

Poor man's solution (1)

davidwr (791652) | more than 5 years ago | (#27941281)

Other people have better solutions but a quick-and-dirty solution is to hardcode internal addresses in a host file. I won't guarantee this works in every environment though, and it's not a maintainable solution.

Re:Poor man's solution (1)

TCM (130219) | more than 5 years ago | (#27941449)

Then don't even do/suggest it.

Quick and dirty only gets dirtier and wastes the time you saved upfront and more later on.

Not sure if I understand this... (0)

Anonymous Coward | more than 5 years ago | (#27941329)

How are VPN users using an external DNS server to resolve internal host names in the first place?

There is a lot of information missing in this question and it seems to be a simple case of setting DNS to an internal DNS server via the VPN end-point.

Our Solution (1)

AndGodSed (968378) | more than 5 years ago | (#27941353)

Our Company webserver and mailservers serve as DNS servers as well.

There are four in total. We are an ISP, but we are dependant on a larger backbone - so we registered our own DNS servers.

Also, DHCP on the lan with your own DNS server on LAN side should be fine, and you can also edit the hosts file if all else fails. We have a few (Vista) laptops where we needed to hardconfig LAN side server addresses in the hosts file - but I suspect this has less to do with nxdomain problems than with a larger config issue between Win2003serv and Vista.

Stop filtering your DNS, or run a local cache. (3, Insightful)

mellon (7048) | more than 5 years ago | (#27941355)

What's the benefit of blocking your internal DNS? You're firewalled off, or they wouldn't need the VPN. What's going on here is that you're doing something broken - you must have some kind of NXDOMAIN redirector running on the remote machine, and the ISP is doing something wrong, because its NXDOMAIN redirector is fooling your NXDOMAIN redirector. If you just follow the standards, the fact that they have a broken NXDOMAIN redirector wouldn't affect you.

Another option is to set up a DNS resolver that's reachable from outside your network, and also inside your network, but only answers for your internal names if the query comes from inside. Then configure all your VPN machines to always use that nameserver, and not use your ISP's nameserver.

Even if your ISP filters DNS and answers in place of your nameserver, you're okay, because as soon as the VPN is set up, all the queries will go across the VPN (since this server is on your local network). At that point you'll start getting answers for local domains because now the query is coming from a local (VPN) IP address.

This second solution is a bit more work, and of course being a DNS geek I'm biased toward just doing the right thing in the first place, so I recommend just opening up your DNS, but either way ought to work.

What small ISPs? (5, Funny)

bzzfzz (1542813) | more than 5 years ago | (#27941383)

There are still small ISPs left where you live?

Re:What small ISPs? (1)

RobertM1968 (951074) | more than 5 years ago | (#27941527)

I was going to laugh because this is probably true for most people in the US... then I realized that this wasnt funny because this is probably true for most people in the US. I think we need a "Sadly, humorously, funny" Mod...

hosts file? (1)

_bug_ (112702) | more than 5 years ago | (#27941417)

Would hard-coded IP addresses to a hosts file work?

Plenty of other DNS options... (1)

RobertM1968 (951074) | more than 5 years ago | (#27941457)

You can run your own DNS servers... (this opens a lot of other possibilities for it's use as well - such as blocking certain sites at the DNS level, or setting up local domain entries for your internal network (without the expense of registering a domain name or three): just make sure you dont set such up using a real, existing domain name that you may at some time want to visit.

A Linux box with BIND or similar can be a cheap, old box and perform fantastically in this respect. An OS/2 box (if you've got some OS/2 disks or buy a copy of Warp 4 from eBay) can also be a cheap, and ancient box and perform amazingly (you dont need more than a P90 with 64MB RAM - I know... I did this for years for some decently high traffic domains (30,000 unique visits a day)). BIND is available for both OS/2 and Linux, as well as a number of other options for both.

.

You can use OpenDNS or a similar service...

(The formerly run by) UUNet name servers still work and accept connections from anywhere.

On this note, btw, it's not just small ISPs who are doing this... OptOnline is doing this in my area, and we are a business customer with a business connection.

ask (1)

Spaham (634471) | more than 5 years ago | (#27941475)

You should ask you IT manager,
oh, you're the IT manager ? hmmm ;)

Quick fix (0)

Anonymous Coward | more than 5 years ago | (#27941487)

sudo chattr +i /etc/resolv.conf

Sounds like a feature request for Deadwood (1)

Ex-Linux-Fanboy (1311235) | more than 5 years ago | (#27941637)

You know, that's a good feature request for Deadwood [maradns.org] , code I'm working on now that will eventually become the next-generation recursive DNS resolver for MaraDNS [maradns.org] . Have a feature so that, if we get a given IP over DNS, make the reply a "notthere" reply (It's a bad idea to make it a NXDOMAIN).

MaraDNS is an open-source (BSD licensed) DNS server I've been working on for over eight years; right now I'm re-writing the recursive code. Currently, the rewrite of the recursive code is a tiny (32k) DNS forwarding (non-recursive) cache for both Linux and as a native Windows binary.

My goal is to have full recursion supported by the end of 2009.

Uhhh (1)

jafiwam (310805) | more than 5 years ago | (#27941723)

No VPN software or hardware I ever used does this. It always checks the VPN DNS server first before going to the main one.

Reconfigure your VPN software, something is wrong.

YES, NXDOMAIN redirection sucks, but it does not by default interfere the way you think it does.

If it's servers on your network you need, you could just stick a hosts file entry on their computers to resolve "webserver" to 10.1.200.34 etc.

Re:Uhhh (2, Insightful)

tthomas48 (180798) | more than 5 years ago | (#27942621)

I wonder if the actual problem is this:

1. User goes to internal site, gets ISP not found page.
2. User goes "Whoops, need to turn on VPN". Turns on VPN
3. User hits refresh. Still goes to ISP not found page.

Is he sure this isn't an issue of just needing the user to close their browsers to clear the browser dns cache?

Firewall (0)

Anonymous Coward | more than 5 years ago | (#27941811)

I use FIOS which does this (annoying as hell) but they do provide DNS servers which don't exhibit this behavior.

For your end users, put a firewall between the user and the internet.

Any old linksys should do, they already have DHCP on them.

Just configure the fw/router with the "opt-out" DNS servers. That way the users won't need any special config on their laptops/desktops.

Option B:
If these are windows clients, can't you just assign different name servers to different network connections?
The VPN adapter can use DHCP to pull the corporate DNS servers.
The "internet" NIC they plug into their cable modem can use the static "opt-out" DNS settings.

Note that this wouldn't work well for Laptop users because they'd have to change their network config when traveling.

Setup your VPN and network right.. (1)

papasui (567265) | more than 5 years ago | (#27941831)

and you won't have to worry about it. Your DNS needs to be coming across your VPN tunnel, not from your ISP. Done.

I Don't Understand - Use Your Own DNS (1)

segedunum (883035) | more than 5 years ago | (#27941841)

I seriously don't understand this. Presumably when users are connected to the VPN then there must be some way of resolving internal names, and this can only be done via your own internal DNS. You can't have the DNS of users' ISPs resolving internal names because that would be silly and would obviously fail. Therefore.......use your own DNS while users are connected to the VPN. A lot of VPN software will do this automatically, but I've done this with OpenVPN by pushing down DNS through DHCP and changing the bind order of the interfaces with the VPN at the top. At least on Windows that is.

I have no clue whatsoever why you're trying to talk to ISPs. This is not their problem at all.

Re:I Don't Understand - Use Your Own DNS (1)

sgt scrub (869860) | more than 5 years ago | (#27942275)

To add to seqedunum's post. I use OpenVPN too. You don't HAVE to push anything through DNS but can and is probably the easiest. OpenVPN GUI for windows makes it easy for even the dumbest (marketing/sales department) people in the office to use. You can hard code the ip address as the destination in the config. All the user has to do is double click on an icon on their toolbar, login (or use a shared key), and p00f they are connected.

How to deal with this? (0)

Anonymous Coward | more than 5 years ago | (#27941945)

Use another ISP.

This is an unethical practice (2, Insightful)

Jane Q. Public (1010737) | more than 5 years ago | (#27942071)

... and it should be stopped. Forced to stop if no other approach works.

Redirecting my web request to somewhere else, as far as I am concerned, is equivalent to re-routing my snail mail to their own office if someone has moved. That is not acceptable. I want a "not at this address" notice, nothing else.

here's a buck and I'll give you a clue (0)

Anonymous Coward | more than 5 years ago | (#27942073)

Why are you not using your own DNS servers! or even use OpenDNS if your not able to set up and administer your own. DNS should configured with in your VPN software. Nothing says you have to use your ISP's resolvers.

The solution is not to use DNS! (1)

Cyrock (610182) | more than 5 years ago | (#27942161)

Have your remote users connect to an IP address instead of a name and all of your problems are solved.

hosts file? (2, Informative)

i.r.id10t (595143) | more than 5 years ago | (#27942211)

A logon script here loads a hosts file that null-routes a lot of known bad (spyware, etc) sites.

Could you do the same for your internal hosts so that when on the VPN it doesn't even need to do a DNS lookup?

Will "bad" ISPs start blocking port 53? (2, Interesting)

e9th (652576) | more than 5 years ago | (#27942485)

Some ISPs already won't let you connect to port 25 on any server that isn't theirs (forcing you to relay outgoing mail through them), ostensibly to prevent zombies from sending spam. The ones that monetize NXDOMAIN could easily do the same for DNS. All they'd need is some flimsy pretext, and maybe not even that.

DNS Suggestion (1)

Kiralan (765796) | more than 5 years ago | (#27942535)

Couldn't the Split Tunnel still be used, but all lookups are resolved via the company's DNS? You may resolve 'Pron' names, etc. but you would not be carrying the traffic for them.

Use multiple DNS servers (1)

1idman (184827) | more than 5 years ago | (#27942661)

If I understand correctly, the problem arises because the road staff's TCP/IP connection is receiving the DNS server info automatically from whatever connection they are using. If you set up the clients to use a preferred DNS server as something like OpenDNS, available from anywhere, and your secondary DNS server as the internal IP address of your local LAN's DNS server, you should get the effect you want. When your users are on the road, they will use OpenDNS. When they are back in the office, the requests for local names will go to OpenDNS and fail, and then be directed to the local DNS server.

Your VPN is busted (2, Insightful)

brunes69 (86786) | more than 5 years ago | (#27942759)

The first thing your secure VPN tunnel should be doing is altering the client's DNS profile to only use the DNS servers on the other side of the tunnel. Anything else is totally insecure.

User Error (1)

ajcoon (964283) | more than 5 years ago | (#27942925)

Most network interface configurations allow you to specify a DNS server for that specific connection. I use both OpenVPN2 and Cisco IPSec clients on Windows and Linux. In both cases, the virtual adapters/interfaces used by these clients can have their own DNS server configured. It is only used when the adapter/interface is connected.

I think maybe this is a VPN config issue (0)

Anonymous Coward | more than 5 years ago | (#27942969)

Place your own DNS server on the internet outside of your DMZ. Then just point your VPN people to those DNS servers manually.

As to what happens when they return to work, if we are talking about laptops and you have docking station then you can used a docked and undocked profile that could switch them back and forth. Otherwise just give them a icon to click on when they are having issues that manually sets the DNS back and forth. Itâ(TM)s extra training but a easy work around.

I have to tell you that I am not sure why this is a problem for you honestly. VPN should setup a tunnel for your users connecting so once they resolve the name of the VPN servers to connect to they no longer use external DNS at all. If your problem is that they keep you from resolving the name of your VPN servers correctly then just hardcode in the IP into the client.

Hope this helpsâ¦.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...