DNS magic

Suggestions/comments/criticisms are welcome here

Ikarius

Posts: 3
Joined: Sat Jan 31, 2009 3:42 am

Post by Ikarius » Tue Feb 03, 2009 8:00 am
Okay, so I'll throw in a suggestion for some DNS magic here, as to make it work, it really needs client-side "special-sauce".

One option which would be absolutely awesome, would be to allow per-domain DNS redirection across VPN tunnels.

The situation I'm thinking of is this; if you have a mobile client (like a laptop), and a VPN server someplace, there are times when you really don't want to nuke the DNS servers on the local network, as they are the only source of information about the local subnet.

Say you set your VPN up at home, and your home's DNS domain is "myhouse.com". You're at work, and at work, your local domain is "mywork.com". The DNS server at home has the only authoritative information about "*.myhouse.com", and the DNS server at work has the only authoritative information about "*.mywork.com". For internet access, the highest likelihood of "ideal" answers is from the local DNS servers, as they will receieve correct location-based answers for things such as akamai-caches.

From what I know of DNS resolver libraries, I believe it is impossible to configure a client to ask different DNS servers about different domains. If you have multiple DNS servers configured, the local resolver will always attempt one server (usually the first in it's list), and only try other servers if that server does not answer at all- if the DNS server answers "I don't know that" (technical answer is NXDOMAIN), that's considered valid and the resolver library simply returns indicating it's an unknown hostname.

So, in order to do this "magic", the Viscosity would need to:
a. Pretend it's a DNS server- set itself up to respond to DNS queries on 127.0.0.1
b. Point the resolver library at itself (i.e. 127.0.0.1 goes into /etc/resolv.conf).
c. Look at incoming DNS queries; if they are queries with a domain attached to an active VPN session, forward them to the DNS server at the other end of the VPN connection, then forward the answers back to the clients. All other DNS queries go to the pre-existing DNS servers.

If there was ONE piece of additional functionality I'd love to see, this would be it. And I know, it's not trivial. However, it would go a long ways towards allowing VPN connections to "just work as expected".

Cheers
Ross

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Thu Feb 05, 2009 2:36 am
Hi Ross,

This is essentially what we are working on for version 1.1 of Viscosity, so it's on its way. :)

We're hoping to avoid having to run an internal DNS server to implement this by using Leopard's supplemental domain matching support instead. So far some test implementations appear to be working well, so hopefully a beta release of version 1.1 isn't far off.

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

Ikarius

Posts: 3
Joined: Sat Jan 31, 2009 3:42 am

Post by Ikarius » Mon Aug 10, 2009 4:23 am
Hey there,
I'm still using viscocity on a regular basis, and since this post, I've seen a couple of bugfix versions of viscocity, I don't yet see a 1.1 beta. Do you have an update on that? I'd still really love to see this feature.

Cheers
Ikarius

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Fri Aug 14, 2009 2:46 am
Hi Ikarius,
Do you have an update on that?
The beta isn't far away now - I'm afraid as version 1.1 has such a long feature/fix/enhancement list (along with improvements to Viscosity for Mac OS 10.6) we're still not at a stage where a stable beta is available. It's possible we might release another small update (1.0.6) soon to help ease the amount we are trying to cram into the 1.1 release. In short, check back before the end of the month, we should have something for you to download and test out.

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

filipp

Posts: 16
Joined: Wed Feb 24, 2010 5:48 pm

Post by filipp » Sun Mar 14, 2010 7:39 pm
This would be totally awesome!

If I understand correctly, it would also fix this current problem:

1. Open connection "A", do a DNS query for "a.mydomain", get a correct internal IP
2. Open connection "B", do a DNS query for "a.mydomain", get an incorrect external IP (or NXDOMAIN)

In other words, currently, only the latest connection's DNS server is queried.
James wrote:
I'm afraid as version 1.1 has such a long feature/fix/enhancement list (along with improvements to Viscosity for Mac OS 10.6) we're still not at a stage where a stable beta is available.
Keep it small! You don't want 1.1 to become TextMate 2.0! ;-)

filipp

Posts: 16
Joined: Wed Feb 24, 2010 5:48 pm

Post by filipp » Thu Apr 22, 2010 5:17 pm
6 posts Page 1 of 1