• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

best way to manage multiple VPN's - DNS entries?

ViviTheMage

ViviTheMage

Lifer
So we use about 3 different VPN's, for 3 different things, which we need to be connected to at once.

We currently just manually punch in hosts file entries for a bunch of things, but what we'd like is one/centrally managed way to do this, without a host file preferably.
 
Do you manage the DNS on the remote side? If so zone transfers to a central DNS might work.

Are they tunnel VPNs or "user -> device?"

Tunnels are easier to handle since you can set up local copies of the zones on the DNS servers the computer queries. If they are user endpoint and it is trying to capture DNS it gets a bit harder.
 
all tunnels are USER - > FW, which is why we have to modify our hosts file, to point to direct IP's, as DNS mucks up bad when you connect up the second/third one. It will not retain DNS from the first FW generally.

These are all local ip's, 10.10.x.x, depending on location and VPN.
 
Ok. I would have to think about this. Are all the users tech savvy. I would think that if this is say you, it would be different that asking Sally Jane at the front desk to deal with it on a day to day basis.

I personally would look at running a localhost DNS that had forwarders for the various DNS servers you are dealing with. The main issue would be that you would need to use the FQDN's to make it work.

On say Server 2008 R2 (not saying you need to run server OS's but just trying to give an example from MS DNS)

I would create a conditional redirectors for the DNS domains at the 3 sites.
IE:
Sitea.com -> internal DNS IPs for site A
Siteb.net -> internal DNS IPs for site B
Sitec.co.tw -> internal DNS IPs for site C
* -> 8.8.8.8 or whatever

That way connecting to randomserver.sitea.com would cause the local DNS to redirect the request to sitea.coms DNS and reply with the IP address.

Does this seem to be at least going in the direction you are thinking?

You point the local host at 127.0.0.1.

Any other info you can provide might help.
 
Interesting, that might get into more DNS thinking that I know ... I was hoping we could all just change our DNS to a specific DNS host, and manage it from there. along side whatever else DNS we get, but to use if primary DNS cannot resolve.
 
don't you work for google? utilize the routers DNS options to do this so its not on a local basis, come-on man....
 
ViviTheMage said:
Interesting, that might get into more DNS thinking that I know ... I was hoping we could all just change our DNS to a specific DNS host, and manage it from there. along side whatever else DNS we get, but to use if primary DNS cannot resolve.
Click to expand...

My technique should work with an external server also using windows or BIND. I have never tried it so.... mileage may vary. Domain based redirection is pretty common so there is a lot about it on the web. You might be able to do it with shortnames also but I think that would be more "hit or miss."
 
We VPN into multiple domains, with multiple credentials, we want one place to store it all!

That is why we all maint our own hosts file entries, and that is what we want to avoid.
 
I was wrestling with the same issue today and ran across your post. Got me thinking more than I was, thanks for pushing me out of my box.

Some example data for this post:

VPN public server address are as such:
12.13.14.15
22.23.24.25
32.33.34.35
...

Setup to slave DNS in AWS (using micro instances as they are freeeeeee) with EIPs
- put them in different regions so if one region goes down you have backup
- you could use a multi-zone setup also to allow for zone failure.
ns_xy (1.2.3.4)
ns_xz (5.6.7.8)

Fill the slaves with data from the masters from where ever they might live.

I am assuming you are using openVPN, but other VPN servers have the same type of ability - an assumption.

Setup the VPN server to push options:
# these options push the DNS entries to the clients
# All VPN servers have similar setup
--push dhcp-option DNS 1.2.3.4 -push dhcp-option DNS 5.6.7.8

Set up your VPN to push a host route to each of DNS slave servers. So, all connections to 1.2.3.4 and 5.6.7.8 happen via the VPN system and pop out the VPN server public address (e.g. 12.13.14.15);
--push route 1.2.3.4 255.255.255.255
--push route 5.6.7.8 255.255.255.255

Do this on each VPN connection so no matter what order the VPNs are established they get the same DNS resolvers.

Now back at AWS, set up the security group so it only allows DNS (53) from 12.13.14.15, 22.23.24.25, 32.33.34.35,...

With your DNS servers locked down, only your VPN boxes will be able to resolve against them. This stops sniffers and dictionary attacks against your DNS from script kiddies - important.

With your clients having a host route back to the DNS slaves, via your VPN box, only your clients will be able to access them, and only when they are on the VPN.

With the AWS DNSs set as slaves you can do what ever you want in your masters for x.com, y.com z.com and the slaves at AWS will get the updates in a timely manor.

This was not my first solution, but I think it will be the one I am going to build. If you have input on this, please suggest some, if you solved this some other way, please let me know. --tls
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top