Windows default DNS server, configurable?



  • Before VPN

    nslookup
    Default Server:  [workDNSServer.workDomain]
    Address:  10.X.X.X

    After VPN

    nslookup
    Default Server:  pfsense.localdomain
    Address:  192.168.1.1

    I have issue's at work because some websites (and maybe other resources I've yet to discover) are only accessible inside work network using the internal ip address. With my home DNS server being the default, I resolve to the external IP address and therefore cannot access the resource from inside work network

    So I'm thinking if I can make the work DNS server the default (or basically dont change it after VPN connect), it would solve problem. But I would still like the 192.168.1.1 to be in my list of DNS servers so I can resolve localdomain resources

    Right now i'm having to add the resources to my host file with the internal IP.



  • @meruem:

    So I'm thinking if I can make the work DNS server the default (or basically dont change it after VPN connect), it would solve problem. But I would still like the 192.168.1.1 to be in my list of DNS servers so I can resolve localdomain resources

    That makes no sense. If the default DNS is reachable the requests are sent to it. If the server can't resolve the request you get a DNS error. A DNS server with lower priority is only requested if that one with higher prio isn't reachable.

    If you want to use Hostnames which only can be resolved by your home DNS, but use the works DNS as default, you have to forward DNS requests from work to home DNS or you add your needed DNS entries also to the default DNS.


  • LAYER 8 Global Moderator

    the use of multiple dns that can not answer the same questions the same way is bad idea..

    You can never really be sure which dns will be queried.  Windows uses many different things to figure out which dns is queried, just because you have them listed 1 and 2 doesnt mean that is how its always going to  be queried.

    this is a very common mistake..  The dns you put in your client should be able to resolve the same stuff the same way.  If you want to resolve local stuff then you should point to your server(s) that are authoritative for your local stuff, and have them query or forward to something else that can resolve public stuff.

    Pointing to a local and public at the same time is going to give inconsistent results depending on how exactly the client determines which dns to use.  Once windows for example finds that dns 2 gives answers, when it had an issue with 1 - its not going to go back to 1 unless there are issues with 2, etc..  Getting a NX for query does not mean that dns is bad.. how does the dns resolver know it should check its other dns?  what if it gets back soa vs nx.  etc. etc..

    if you need to resolve work stuff, when you vpn to remote site its prob best to just create host file entries on your host for what you need to resolve on the vpn side.

    your problem is that you want to resolve 2 different local domains with different name servers that are authoritative for their respective local domains.  your other option would be to run another nameserver say on your client that has specific forwards setup to where go ask for specific local domains, and where forward when its not a local domains.

    So you could have a forward on this server that asks work dns when looking for work domains, and the vpn dns when looking for vpn domains, etc.

    But splitting nameservers on your client is never going to function the way users think it does.  And also can be leak in dns info, where your asking the wrong server..  For example work server might now your looking for lots of records for some odd local domain.  or if your asking your vpn for these work domains, it will either try and resolve them directly which isn't all too bad.  Or maybe it forwards to your ISP dns and now your ISP has records of all these odd queries.  This is only an issue depending on how tight your tinfoil hat is.  But is another problem with having split dns on a client where the nameservers do not have the same info on them..



  • @johnpoz:

    the use of multiple dns that can not answer the same questions the same way is bad idea..

    You can never really be sure which dns will be queried.  Windows uses many different things to figure out which dns is queried, just because you have them listed 1 and 2 doesnt mean that is how its always going to  be queried.

    this is a very common mistake..  The dns you put in your client should be able to resolve the same stuff the same way.  If you want to resolve local stuff then you should point to your server(s) that are authoritative for your local stuff, and have them query or forward to something else that can resolve public stuff.

    Pointing to a local and public at the same time is going to give inconsistent results depending on how exactly the client determines which dns to use.  Once windows for example finds that dns 2 gives answers, when it had an issue with 1 - its not going to go back to 1 unless there are issues with 2, etc..  Getting a NX for query does not mean that dns is bad.. how does the dns resolver know it should check its other dns?  what if it gets back soa vs nx.  etc. etc..

    if you need to resolve work stuff, when you vpn to remote site its prob best to just create host file entries on your host for what you need to resolve on the vpn side.

    your problem is that you want to resolve 2 different local domains with different name servers that are authoritative for their respective local domains.  your other option would be to run another nameserver say on your client that has specific forwards setup to where go ask for specific local domains, and where forward when its not a local domains.

    So you could have a forward on this server that asks work dns when looking for work domains, and the vpn dns when looking for vpn domains, etc.

    But splitting nameservers on your client is never going to function the way users think it does.  And also can be leak in dns info, where your asking the wrong server..  For example work server might now your looking for lots of records for some odd local domain.  or if your asking your vpn for these work domains, it will either try and resolve them directly which isn't all too bad.  Or maybe it forwards to your ISP dns and now your ISP has records of all these odd queries.  This is only an issue depending on how tight your tinfoil hat is.  But is another problem with having split dns on a client where the nameservers do not have the same info on them..

    Thats true.. didnt think about it that way. Thank you!


Log in to reply