Re: Speeding up DNS queries for VPN connections

Replies are listed 'Best First'.
Re^2: Speeding up DNS queries for VPN connections by Beechbone (Friar) on Oct 13, 2004 at 09:02 UTC
VPN is a horrible complex thing. Let's concentrate on the kind of VPN we both seem to have. In this kind the VPN client software creates a new network interface that has an IP address of the intranet it tunnels to. Then it creates routes for all IP networks/ranges that make up that intranet. Then there are two things where there are choices: 1) Default gateway. What about all IP traffic that is not for the intranet? That can be handled as either DualAccess or SingleAccess. 1a) DualAcces means, that all other IP traffic is NOT routed through the VPN interface. This means that if will flow the usual way as if you did not use the VPN client at all. From you description I guess that that option you switched off put your client into this mode. 1b) SingleAccess means that ALL traffic is routed through the intranet. So every access to perlmonks is routed into your intranet and from there into the internet. This usually only makes sense if you do the VPN over a connection that is not internet-connected. Some ISPs have special dial-in networks that have no connection to the internet but only top VPN acces points. Then you need this mode. 2) DNS servers. What happens if you type in "www.intranet.mycompany.com"? That webserver is obviosly not reachable from the internet, but from your VPN connection. But what about its name resolution? 2a) All public: It may be that your company puts all DNS records for the internal servers into the public DNS. Then I can get their IP addresses from every DNS server in the world. That is fast, but not every company want the whole world to know its internal names and IPs. 2b) Internal servers: The other way is to make the only intranet-internal nameservers know these names. But then you HAVE to ask one of them for every query that might be for an internal host. The VPN client will therefore set the internal name servers into your config on connect. Now every DNS query will be tunneled to your intranet. Hey, that can be slooow... (ping times up to 2 seconds here) '2b' is the problem I posted the solution for. That script will act as a "DNS proxy", it will forward all queries to all configured name servers and relay the first successful answer. So you enter one DNS server from your ISP and one from your intranet. The ISP's name server will deny the existance of "www.intranet.mycompany.com" but my script will not be fooled and will wait until the intranet's server either confirms that or provides an IP address. And queries for www.perlmonks.org will be answered by the ISP's name server long before the query even reaches the internet's name servers... _Search, Ask, ^Know	[reply]

Replies are listed 'Best First'.

Re^2: Speeding up DNS queries for VPN connections
by Beechbone (Friar) on Oct 13, 2004 at 09:02 UTC

In this kind the VPN client software creates a new network interface that has an IP address of the intranet it tunnels to. Then it creates routes for all IP networks/ranges that make up that intranet. Then there are two things where there are choices:

1) Default gateway. What about all IP traffic that is not for the intranet? That can be handled as either DualAccess or SingleAccess.

1a) DualAcces means, that all other IP traffic is NOT routed through the VPN interface. This means that if will flow the usual way as if you did not use the VPN client at all. From you description I guess that that option you switched off put your client into this mode.

1b) SingleAccess means that ALL traffic is routed through the intranet. So every access to perlmonks is routed into your intranet and from there into the internet. This usually only makes sense if you do the VPN over a connection that is not internet-connected. Some ISPs have special dial-in networks that have no connection to the internet but only top VPN acces points. Then you need this mode.

2) DNS servers. What happens if you type in "www.intranet.mycompany.com"? That webserver is obviosly not reachable from the internet, but from your VPN connection. But what about its name resolution?

2a) All public: It may be that your company puts all DNS records for the internal servers into the public DNS. Then I can get their IP addresses from every DNS server in the world. That is fast, but not every company want the whole world to know its internal names and IPs.

2b) Internal servers: The other way is to make the only intranet-internal nameservers know these names. But then you HAVE to ask one of them for every query that might be for an internal host. The VPN client will therefore set the internal name servers into your config on connect. Now every DNS query will be tunneled to your intranet. Hey, that can be slooow... (ping times up to 2 seconds here)

'2b' is the problem I posted the solution for. That script will act as a "DNS proxy", it will forward all queries to all configured name servers and relay the first successful answer. So you enter one DNS server from your ISP and one from your intranet. The ISP's name server will deny the existance of "www.intranet.mycompany.com" but my script will not be fooled and will wait until the intranet's server either confirms that or provides an IP address. And queries for www.perlmonks.org will be answered by the ISP's name server long before the query even reaches the internet's name servers...

_Search, Ask, ^Know

[reply]