[Openswan Users] Centos Resolv.conf and Openswan
Paul Wouters
pwouters at redhat.com
Fri Apr 20 11:46:15 EDT 2012
On Wed, 18 Apr 2012, Mitsuo Yazawa wrote:
> All of my software, scripts, etc. are working correctly inside the IPSec tunnel.
>
> When I resolv DNS 8.8.8.8 it works perfectly (it goes to Eth0 Interface)
>
> But if I do resolv 10.1.1.11(DNS server, in the right-subnet of the IPSec tunnel). It tries to DNS from Eth0, and not
> tap0.
How are you doing resolving to 10.1.1.11?
What does your /etc/resolv.conf look like?
What I would recommend as solution is to run a local resolver (with
dnssec) and update it via the updown script. For example, when using
the unbound dns server and pointing /etc/resolv.conf to only use
127.0.0.1 , you can give the following commands:
unbound-control forward 10.1.1.11
unbound-control forward 8.8.8.8
Alternatively you can also leave the machine to use 8.8.8.8 but only
resolve some domains via the internal dns, for example:
unbound-control forward_add redhat.com 10.1.1.11 10.1.1.12
unbound-control forward_remove redhat.com
unbound-control flush_zone redhat.com
If you are using XAUTH, and the remote end (cisco) gives you the
DNS domain name and forwarders via XAUTH, and you have a running
unbound daemon, then openswan (as of 2.6.38) already reconfigured
unbound for you via the default updown scripts.
Using these, I get a seamless transition for the domain redhat.com,
whether I am on the Red Hat VPN or not. If my VPN is up, my laptop
contacts redhat.com via the VPN. When I bring it down, my DNS cache
is flushed and it uses the external redhat.com.
Paul
More information about the Users
mailing list