Hi, On Tue, Aug 23, 2016 at 11:23:29AM -0400, Selva Nair wrote: > It was agreed to move this forward by looking into the approaches > suggested by Selva, and by giving him feedback. > > So what is the consensus? Should we support DNS through all tunnels for > which block-outside-dns is specified or just make sure DNS works through at > least one of the tunnels if the option is used on multiple ones?
"principle of least astonishment" (POLA) would be "DNS inside the tunnels
works, outside the tunnels doesn't, no matter which tunnel was opened
first. "DNS does not work at all" is the worst variant, because a normal
user (including most "client admins") will not be able to see why this
would be happening - I can already see this with normal users, Win10 and
OpenVPN that they never attribute to DNS failures if "outlook does not
work"...
You had some suggestions upthread how to change the WFP stuff to make
it cooperate (and perform) better - so "feature-ACK" on that approach :-)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
signature.asc
Description: PGP signature
------------------------------------------------------------------------------
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
