Re: [Openvpn-devel] [PATCH] man: extend description for "dhcp-option DNS" on Windows

Thu, 05 Oct 2023 12:05:10 -0700 

Hi,

On Tue, Sep 5, 2023 at 5:41 PM Antonio Quartulli <a...@unstable.cc> wrote:

> From: Antonio Quartulli <anto...@mandelbit.com>
>
> Add an important detail about the DNS configured via this option
> to be an "interface-specific" DNS. This detail is important when
> troubleshooting DNS issues since this logic will bypass the
> routing table.
>
> Signed-off-by: Antonio Quartulli <anto...@mandelbit.com>
> ---
>  doc/man-sections/vpn-network-options.rst | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/doc/man-sections/vpn-network-options.rst
> b/doc/man-sections/vpn-network-options.rst
> index b7f33acd..17c7d4a2 100644
> --- a/doc/man-sections/vpn-network-options.rst
> +++ b/doc/man-sections/vpn-network-options.rst
> @@ -158,6 +158,12 @@ routing.
>          Set primary domain name server IPv4 or IPv6 address.
>          Repeat this option to set secondary DNS server addresses.
>
> +        On Windows this option sets an "interface-specific" DNS, meaning
> +        that the system will try to reach it via the VPN interface,


even if the routing table says otherwise.


> If the wanted DNS is not
>

If the desired DNS server is not

+        expected to be reached via VPN, please don't use this option, but
>

please don't --> do not


> +        rather set the DNS manually (or via DHCP).
>

delete "rather"


> +
>          Note: DNS IPv6 servers are currently set using netsh (the existing
>          DHCP code can only do IPv4 DHCP, and that protocol only permits
>          IPv4 addresses anywhere). The option will be put into the
>

That said, I'm not convinced this is the right way to document this. IMO,
using "--dhcp-option DNS n.n.n" to set a DNS server not reachable through
the tunnel is a misuse of that option on any platform.

Even on "non-windows" one shouldn't do that as it's very reasonable for a
script that handles it to set it on the interface, instead of globally, if
the platform permits it. For example, using systemd-resolved on Linux
(though I'm not totally sure how exactly interface-specific DNS works in
this case).

So, if at all, why not state that the DNS server specified here should be
reachable through the tunnel irrespective of the platform?

Regards,

Selva

_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel






















					Reply via email to