20100530

silly vpn hack

I finally got frustrated by the inability of /etc/resolv.conf to do what I'd say in pseudo code:

if domain==example.com; then nameserver=1.2.3.4
else nameserver=4.3.2.1

since I need that when I'm on my VPN to example.com.

So, round one of the hack is to tell dhclient to use my local nameserver, and do it with named.

So, in /etc/dhclient.conf, I have:

interface "wlan0" {
prepend domain-name-servers 127.0.0.1;
}


and I have the following snippets in named.conf:

...
options {
...
forwarders {
4.3.2.1;
};
...
};
zone "example.com" IN {
type forward;
forwarders {
1.2.3.4;
};
};


The only problem I have yet to figure out is how to dynamically update the 4.3.2.1 in /etc/namedb/named.conf as I roam from network to network. There doesn't appear to be a hook in dhclient to say 'run this command when my IP address changes' or 'run this command when I get a new lease' or anything useful like that....

All this is with FreeBSD-current, but these techniques should work back to at least FreeBSD 6.x.

Finally, does anybody know a good way to quote code (as opposed to text) in blogger.com? By default, it seems, all leading whitespace is eaten, which make this post look ugly.

4 comments:

jhb said...

Err, doesn't /sbin/dhclient-script provide hooks to run any arbitrary command or script on any dhclient event? I think you could hook into that for updating your named.conf.

FWIW, the way I normally see VPNs handled is that all DNS queries are sent internally to a DNS server that can resolve both internal and external names.

Warner Losh said...

/sbin/dhclient-script is run when dhclient events happens. However, it doesn't allow you to run arbitrary commands without hacking the shell script itself. It does all the stuff itself. I'd have to hack it to do what I want, and then track the changes to it each time I do an installworld.

I don't want to send all my DNS traffic via the corporate firewall just because I have the VPN up. I only use the VPN for traffic to my employer, and nothing else. It is generally best to not have some remote DNS server doing queries on your behalf, since we live in a world where things are optimized for your location (both geographically and network-wise).

TJ said...

Can't you use the script keyword inside your interface declaration to run your own local dhclient-script?

Anonymous said...

The dhclient-script has two functions that call out to dhclient-enter-hooks and dhclient-exit-hooks, if they exist, to run arbitrary local commands. I use the exit-hooks routine to specify alternate execution instructions to apply addresses to my Mac as the ipconfig calls in the standard script don't really service me.