[Openvpn-devel] [S] Change in openvpn[master]: iservice: set adapter DNS only with search domains
cron2 has uploaded a new patch set (#2) to the change originally created by d12fk. ( http://gerrit.openvpn.net/c/openvpn/+/1429?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by selvanair Change subject: iservice: set adapter DNS only with search domains .. iservice: set adapter DNS only with search domains With NRPT the adapter name server configuration is not needed theoretically. However DNS config is not showing with traditional tools like ipconfig if they are left out. More importantly if there are no DNS servers configured for an adapter the adapter specific search domains are not recognized by the Windows resolver. However, adding the servers to the adapter has the side effect, that general look-ups are now also done using this adapter, which might come as unexpected and yield wrong results, if there is some trickery happening with the default DNS, for example. As a workaround, set the adapter DNS only when strictly needed. Github: OpenVPN/openvpn#473 Change-Id: I6debe8bbedd5a08da417bfee1243a43ef6df7980 Signed-off-by: Heiko Hund Acked-by: Selva Nair Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1429 Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg34968.html Signed-off-by: Gert Doering --- M src/openvpnserv/interactive.c 1 file changed, 12 insertions(+), 4 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/29/1429/2 diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c index 6f04f6b..9327dfa 100644 --- a/src/openvpnserv/interactive.c +++ b/src/openvpnserv/interactive.c @@ -2869,11 +2869,19 @@ goto out; } -/* Set name servers */ -err = SetNameServerAddresses(iid, msg->addresses); -if (err) +/* + * Set DNS on the adapter for search domains to be considered. + * If split DNS is configured, do this only when search domains + * are given, so that look-ups for other domains do not go over + * the VPN all the time. + */ +if (msg->search_domains[0] || !msg->resolve_domains[0]) { -goto out; +err = SetNameServerAddresses(iid, msg->addresses); +if (err) +{ +goto out; +} } /* Set search domains, if any */ -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1429?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: newpatchset Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I6debe8bbedd5a08da417bfee1243a43ef6df7980 Gerrit-Change-Number: 1429 Gerrit-PatchSet: 2 Gerrit-Owner: d12fk Gerrit-Reviewer: plaisthos Gerrit-Reviewer: selvanair Gerrit-CC: openvpn-devel ___ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: iservice: set adapter DNS only with search domains
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/1429?usp=email ) Change subject: iservice: set adapter DNS only with search domains .. iservice: set adapter DNS only with search domains With NRPT the adapter name server configuration is not needed theoretically. However DNS config is not showing with traditional tools like ipconfig if they are left out. More importantly if there are no DNS servers configured for an adapter the adapter specific search domains are not recognized by the Windows resolver. However, adding the servers to the adapter has the side effect, that general look-ups are now also done using this adapter, which might come as unexpected and yield wrong results, if there is some trickery happening with the default DNS, for example. As a workaround, set the adapter DNS only when strictly needed. Github: OpenVPN/openvpn#473 Change-Id: I6debe8bbedd5a08da417bfee1243a43ef6df7980 Signed-off-by: Heiko Hund Acked-by: Selva Nair Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1429 Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg34968.html Signed-off-by: Gert Doering --- M src/openvpnserv/interactive.c 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c index 6f04f6b..9327dfa 100644 --- a/src/openvpnserv/interactive.c +++ b/src/openvpnserv/interactive.c @@ -2869,11 +2869,19 @@ goto out; } -/* Set name servers */ -err = SetNameServerAddresses(iid, msg->addresses); -if (err) +/* + * Set DNS on the adapter for search domains to be considered. + * If split DNS is configured, do this only when search domains + * are given, so that look-ups for other domains do not go over + * the VPN all the time. + */ +if (msg->search_domains[0] || !msg->resolve_domains[0]) { -goto out; +err = SetNameServerAddresses(iid, msg->addresses); +if (err) +{ +goto out; +} } /* Set search domains, if any */ -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1429?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: merged Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I6debe8bbedd5a08da417bfee1243a43ef6df7980 Gerrit-Change-Number: 1429 Gerrit-PatchSet: 2 Gerrit-Owner: d12fk Gerrit-Reviewer: plaisthos Gerrit-Reviewer: selvanair Gerrit-CC: openvpn-devel ___ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: iservice: set adapter DNS only with search domains
Attention is currently required from: d12fk, plaisthos. selvanair has posted comments on this change by d12fk. ( http://gerrit.openvpn.net/c/openvpn/+/1429?usp=email ) Change subject: iservice: set adapter DNS only with search domains .. Patch Set 1: Code-Review+2 (1 comment) Patchset: PS1: Lightly tested on Windows 10 -- does what it says and avoids dns query over VPN except for specified "resolve-domains". With both search-domains and resolve-domains set, this is not ideal but there seems to be no easy way around it. In that case, the original intent of NRPT rule is preserved -- i.e not sending internal name queries to non-vpn interfaces which is good. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1429?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I6debe8bbedd5a08da417bfee1243a43ef6df7980 Gerrit-Change-Number: 1429 Gerrit-PatchSet: 1 Gerrit-Owner: d12fk Gerrit-Reviewer: plaisthos Gerrit-Reviewer: selvanair Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: d12fk Gerrit-Comment-Date: Wed, 10 Dec 2025 01:41:51 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes ___ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: iservice: set adapter DNS only with search domains
Attention is currently required from: plaisthos.
Hello plaisthos,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/1429?usp=email
to review the following change.
Change subject: iservice: set adapter DNS only with search domains
..
iservice: set adapter DNS only with search domains
With NRPT the adapter name server configuration is not needed
theoretically. However DNS config is not showing with traditional
tools like ipconfig if they are left out. More importantly if
there are no DNS servers configured for an adapter the adapter
specific search domains are not recognized by the Windows resolver.
However, adding the servers to the adapter has the side effect, that
general look-ups are now also done using this adapter, which might
come as unexpected and yield wrong results, if there is some trickery
happening with the default DNS, for example.
As a workaround, set the adapter DNS only when strictly needed.
Change-Id: I6debe8bbedd5a08da417bfee1243a43ef6df7980
Signed-off-by: Heiko Hund
---
M src/openvpnserv/interactive.c
1 file changed, 12 insertions(+), 4 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/29/1429/1
diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c
index 6f04f6b..9327dfa 100644
--- a/src/openvpnserv/interactive.c
+++ b/src/openvpnserv/interactive.c
@@ -2869,11 +2869,19 @@
goto out;
}
-/* Set name servers */
-err = SetNameServerAddresses(iid, msg->addresses);
-if (err)
+/*
+ * Set DNS on the adapter for search domains to be considered.
+ * If split DNS is configured, do this only when search domains
+ * are given, so that look-ups for other domains do not go over
+ * the VPN all the time.
+ */
+if (msg->search_domains[0] || !msg->resolve_domains[0])
{
-goto out;
+err = SetNameServerAddresses(iid, msg->addresses);
+if (err)
+{
+goto out;
+}
}
/* Set search domains, if any */
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1429?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newchange
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I6debe8bbedd5a08da417bfee1243a43ef6df7980
Gerrit-Change-Number: 1429
Gerrit-PatchSet: 1
Gerrit-Owner: d12fk
Gerrit-Reviewer: plaisthos
Gerrit-CC: openvpn-devel
Gerrit-Attention: plaisthos
___
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
