On Thu, 23 Jul 2015, Tommy Pauly wrote:
I’d like to see if the working group has interest in adding support for a list of split-DNS domains to the configuration payload for IKEv2. Existing split-tunnel VPN solutions often use a configuration in which only a private domain is resolved using the VPN’s DNS server, and all other resolutions use the physical network’s DNS server.
Yes, I am interested and would add it to our implementation as we have a clear need for this.
I am aware that there are other solutions to this problem, including: 1. Using DHCP inside the tunnel to get the DNS search domains 2. Use the VPN’s private DNS server for all resolutions 3. Send out all resolutions to both servers 4. Manually configure split domains on client However, all of these approaches have drawbacks. 1. We have not seen DHCP within the IKEv2 tunnel widely deployed, especially when almost all of the information is already in the configuration payload (assigned addresses, routes, and DNS server addresses). 2. Many enterprise’s have DNS servers that only resolve hosts on their private subnet, so using the internal DNS for all resolutions would require a significant infrastructure change. 3. Sending out multiple queries increases network traffic, has privacy concerns (leaking private hostnames on the public network), and performance concerns (how long to wait for each to return?) 4. Manual configuration is what we currently require for our clients on Mac and iOS. This, however, does not allow servers to change the configuration dynamically and is not always exposed as an option to the user.
Agreed.
If people think that it would make sense to add an option to specify multiple private domains to scope the usage of the DNS server assigned in the configuration payload, I’d like to write up a draft and see if we can get server adoption.
I'd hope to get client adoption as well :) Should such a document include a section on client usage or just specify the payload formats? For example, there are some expected behaviours for client cache flushing on VPN (dis)connect. There is also a security concern if a third party VPN specfies to send DNS queries for apple.com or "." to it. Paul _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
