Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Windows default DNS server, configurable?

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 3 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      meruem
      last edited by

      Before VPN

      nslookup
      Default Server:  [workDNSServer.workDomain]
      Address:  10.X.X.X

      After VPN

      nslookup
      Default Server:  pfsense.localdomain
      Address:  192.168.1.1

      I have issue's at work because some websites (and maybe other resources I've yet to discover) are only accessible inside work network using the internal ip address. With my home DNS server being the default, I resolve to the external IP address and therefore cannot access the resource from inside work network

      So I'm thinking if I can make the work DNS server the default (or basically dont change it after VPN connect), it would solve problem. But I would still like the 192.168.1.1 to be in my list of DNS servers so I can resolve localdomain resources

      Right now i'm having to add the resources to my host file with the internal IP.

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        @meruem:

        So I'm thinking if I can make the work DNS server the default (or basically dont change it after VPN connect), it would solve problem. But I would still like the 192.168.1.1 to be in my list of DNS servers so I can resolve localdomain resources

        That makes no sense. If the default DNS is reachable the requests are sent to it. If the server can't resolve the request you get a DNS error. A DNS server with lower priority is only requested if that one with higher prio isn't reachable.

        If you want to use Hostnames which only can be resolved by your home DNS, but use the works DNS as default, you have to forward DNS requests from work to home DNS or you add your needed DNS entries also to the default DNS.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          the use of multiple dns that can not answer the same questions the same way is bad idea..

          You can never really be sure which dns will be queried.  Windows uses many different things to figure out which dns is queried, just because you have them listed 1 and 2 doesnt mean that is how its always going to  be queried.

          this is a very common mistake..  The dns you put in your client should be able to resolve the same stuff the same way.  If you want to resolve local stuff then you should point to your server(s) that are authoritative for your local stuff, and have them query or forward to something else that can resolve public stuff.

          Pointing to a local and public at the same time is going to give inconsistent results depending on how exactly the client determines which dns to use.  Once windows for example finds that dns 2 gives answers, when it had an issue with 1 - its not going to go back to 1 unless there are issues with 2, etc..  Getting a NX for query does not mean that dns is bad.. how does the dns resolver know it should check its other dns?  what if it gets back soa vs nx.  etc. etc..

          if you need to resolve work stuff, when you vpn to remote site its prob best to just create host file entries on your host for what you need to resolve on the vpn side.

          your problem is that you want to resolve 2 different local domains with different name servers that are authoritative for their respective local domains.  your other option would be to run another nameserver say on your client that has specific forwards setup to where go ask for specific local domains, and where forward when its not a local domains.

          So you could have a forward on this server that asks work dns when looking for work domains, and the vpn dns when looking for vpn domains, etc.

          But splitting nameservers on your client is never going to function the way users think it does.  And also can be leak in dns info, where your asking the wrong server..  For example work server might now your looking for lots of records for some odd local domain.  or if your asking your vpn for these work domains, it will either try and resolve them directly which isn't all too bad.  Or maybe it forwards to your ISP dns and now your ISP has records of all these odd queries.  This is only an issue depending on how tight your tinfoil hat is.  But is another problem with having split dns on a client where the nameservers do not have the same info on them..

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • M
            meruem
            last edited by

            @johnpoz:

            the use of multiple dns that can not answer the same questions the same way is bad idea..

            You can never really be sure which dns will be queried.  Windows uses many different things to figure out which dns is queried, just because you have them listed 1 and 2 doesnt mean that is how its always going to  be queried.

            this is a very common mistake..  The dns you put in your client should be able to resolve the same stuff the same way.  If you want to resolve local stuff then you should point to your server(s) that are authoritative for your local stuff, and have them query or forward to something else that can resolve public stuff.

            Pointing to a local and public at the same time is going to give inconsistent results depending on how exactly the client determines which dns to use.  Once windows for example finds that dns 2 gives answers, when it had an issue with 1 - its not going to go back to 1 unless there are issues with 2, etc..  Getting a NX for query does not mean that dns is bad.. how does the dns resolver know it should check its other dns?  what if it gets back soa vs nx.  etc. etc..

            if you need to resolve work stuff, when you vpn to remote site its prob best to just create host file entries on your host for what you need to resolve on the vpn side.

            your problem is that you want to resolve 2 different local domains with different name servers that are authoritative for their respective local domains.  your other option would be to run another nameserver say on your client that has specific forwards setup to where go ask for specific local domains, and where forward when its not a local domains.

            So you could have a forward on this server that asks work dns when looking for work domains, and the vpn dns when looking for vpn domains, etc.

            But splitting nameservers on your client is never going to function the way users think it does.  And also can be leak in dns info, where your asking the wrong server..  For example work server might now your looking for lots of records for some odd local domain.  or if your asking your vpn for these work domains, it will either try and resolve them directly which isn't all too bad.  Or maybe it forwards to your ISP dns and now your ISP has records of all these odd queries.  This is only an issue depending on how tight your tinfoil hat is.  But is another problem with having split dns on a client where the nameservers do not have the same info on them..

            Thats true.. didnt think about it that way. Thank you!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.