1. We need to talk about this setup. Specially the OpenVPN bit...i've
been trying to build such a thing for a while now and seems too wizardy
for my limited mental resources!
2. To throw a thought out there, would creating a DNS on your local
machine and as the first value in your /etc/resolv.conf with forwarder
linked to local DNS/well known public DNS server work out?
A
Brad Campbell wrote:
>
> G'day all,
>
> Have an optimisation question wrt to DNS lookups that one of the list
> wizards might be able to help
> me with. Firstly I'd better give you a little background into my
> network configuration though so
> bear with me..
>
> I have a home network (192.168.2.0/24). It has a number of boxes on
> it. I hate remembering IP
> addresses so I have a local DNS server at home that is authoritative
> for my .home domain.
>
> I also have a VPN network (10.8.0.0/24) connecting several boxes
> around the globe to my home network
> using OpenVPN. I hate remembering IP addresses for those too, so I
> have a .vpn.home subdomain. All
> is good when I'm at home.
>
> I have a laptop. I like to take it outside for a walk.
>
> My laptop has an OpenVPN client that makes sure within 5 seconds of
> being connected to any network,
>
> I'm also connected to home. My laptop has a dbus-hook that checks my
> ESSID and other network
> parameters and knows when I'm not at home.
>
> When I'm not at home it establishes a route to my home network
> (192.168.2.0/24) over my OpenVPN
> tunnel (tun0/10.8.0.0/24).
>
> All is good with this setup. No matter where I am, I can access my
> network completely transparently
> and securely. (yay).
>
> Now. I use dhclient to get my dhcp leases (or my default Ubuntu setup
> does anyway) and when dhclient
> gets a new lease, the 1st thing it does is clobber my /etc/resolv.conv
> with local details.
>
> This is both good and bad. Good because I can access the world. Bad
> because I can't resolve my .home
> domain.
>
> This can be solved by editing my /etc/resolv.conf to contain
> search home
> nameserver 192.168.2.1
> as the 1st 2 lines and I've taught dhclient to do that for me as follows
>
> [EMAIL PROTECTED]:~$ cat /etc/dhcp3/dhclient-enter-hooks.d/resolv
> make_resolv_conf() {
> if [ -n "$new_domain_name" -o -n "$new_domain_name_servers" ]; then
> # Find out whether we are going to mount / rw
> exec 9>&0 </etc/fstab
> rootmode=rw
> while read dev mnt type opts dump pass junk; do
> [ "$mnt" != / ] && continue
> case "$opts" in
> ro|ro,*|*,ro|*,ro,*)
> rootmode=ro
> ;;
> esac
> done
> exec 0>&9 9>&-
>
> # Wait for /etc/resolv.conf to become writable
> if [ "$rootmode" = "rw" ]; then
> while [ ! -w /etc ]; do
> sleep 0.1
> done
> fi
>
> local new_resolv_conf=/etc/resolv.conf.dhclient-new
> rm -f $new_resolv_conf
> echo search home >>$new_resolv_conf
> echo nameserver 192.168.2.1 >>$new_resolv_conf
> if [ -n "$new_domain_name_servers" ]; then
> for nameserver in $new_domain_name_servers; do
> echo nameserver $nameserver >>$new_resolv_conf
> done
> else # keep 'old' nameservers
> sed -n /^\w*[Nn][Aa][Mm][Ee][Ss][Ee][Rr][Vv][Ee][Rr]/p
> /etc/resolv.conf >>$new_resolv_conf
> fi
> chown --reference=/etc/resolv.conf $new_resolv_conf
> chmod --reference=/etc/resolv.conf $new_resolv_conf
> mv -f $new_resolv_conf /etc/resolv.conf
> fi
> }
>
> (There is supposedly a better way to do this using the "prepend"
> phrase in dhclient.conf but I'm
> buggered if I could get it to work, and doing it this way means I'm
> not editing *any* config files
> and thus will easily survive any package upgrades with no warnings)
>
> Now, all is pretty groovy with this setup..
>
> I'm at someones office right now and my current /etc/resolv.conf is
> [EMAIL PROTECTED]:~$ cat /etc/resolv.conf
> search home
> nameserver 192.168.2.1
> nameserver 192.168.1.8
>
> So when my vpn is up, all my dns lookups are forced over the vpn, and
> I can resolve my network (and
> the rest of the world). When my VPN is down that nameserver times out
> and it all falls back to the
> local nameserver.
>
> Problem is really related to speed.
> At the moment all my lookups go over the vpn. In Dubai that is ok as
> I'm never more than about 80ms
> from my server. But when I'm away it can be as much as 600ms.
>
> When you list multiple nameservers in /etc/resolv.conf the resolver
> library tries them in order.
> If I reverse the above order, it tries the local nameserver which
> tells it that .home is not
> resolvable. The resolver then comes back to the application and pokes
> its tongue out, singing "nyah
> nyah nyah nyah" while blowing a rasberry. It will only fall through to
> the next nameserver in case
> of a timeout, rather than a negative response. (Which is a bit rude as
> far as I'm concerned).
>
> Now, having got all that out of the way, my question is ...... <drum
> roll please>..
> "Is there any way to get the resolver library to behave in a more
> socially acceptable fashion and
> ask the other nameservers if they have an answer after getting a
> negative reply from the first in
> the list".
>
> See, this would allow all my resolvable queries to be fielded by the
> local servers, and only ask my
> server over the slow link in cases of something they can't reply to
> (like my .home domain).
>
> I actually documented this here in such length in the hope that
> someone else might find it useful (
> I know I would have saved ages had google returned more hits on this
> one ), but the question stands.
>
> Now, the setup works perfectly well as it is.. so well in fact that I
> just never have to even think
> about it.. I just turn it on and it *just works*, but because it all
> works so seamlessly well, and I
> run linux (and therefore like to fiddle constantly) I'm kinda getting
> itchy fingers about having
> something to tweak, fix or fiddle with.. thus my quest to improve that
> which is already pretty good.
>
> Failing that, I could just dd random data into random blocks on my
> filesystem which would actually
> give me something to fix, but you see my backup/restore system *just
> works* too.. so I plug into the
> network at home and boot into my restore CD, and it just rebuilds the
> system off the server with no
> intervention..
>
> Perhaps I need to run Gentoo and do full system recompiles with
> tweaked out CFLAGS to give me
> something to do, or even re-grease my cpu's with arctiv silver 5 to
> sink that extra 2 degrees of heat.
>
> Brad (who has despaired at the lack of list activity of late and taken
> a deep vow to change that)
> --
> "Human beings, who are almost unique in having the ability
> to learn from the experience of others, are also remarkable
> for their apparent disinclination to do so." -- Douglas Adams
>
>
Yahoo! Groups Links
<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/dubailug/
<*> To unsubscribe from this group, send an email to:
[EMAIL PROTECTED]
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/
