OpenVPN DNS Settings Not Propagating to Browsers

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
tfelidae
OpenVpn Newbie
Posts: 1
Joined: Tue Mar 02, 2021 6:36 am

OpenVPN DNS Settings Not Propagating to Browsers

Post by tfelidae » Mon Aug 23, 2021 11:44 pm

We currently use OpenVPN Access Server with split tunneling w/ custom DNS rules in Route53 that routes corp traffic through special IPs exposed at the edge so that employees may be able to access hidden tools and services that are obscured from regular customer traffic (don't ask why we do this, its got something to do with the fact that AWS ELBs change IPs a lot and that split tunneling requires static IPs).

Because of this, we have a tiered DNS system: if users try to access those internal tools, it first contacts the Private Route53 DNS, then it contacts

Code: Select all

1.1.1.1
if there's a cache-miss.

For the vast majority of employees working here, this system seems to work. When we're connected to VPN & perform a request to, say:

Code: Select all

example.com/SpecialAdminTool
, it will use the IPs listed in the Private Hosted Zone (let's say, for the sake of example, it is

Code: Select all

192.192.192.192
) and resolve there. When we're off VPN & perform a request, it will use the public IPs for the domain.

However, two employees have been running into issues with this system for some reason--namely, they are unable to resolve the IPs in the private hosted zone only on their browsers (Chrome, Firefox, & Safari were tested). However, the weird part about this is when they perform an

Code: Select all

nslookup/dig example.com
, it resolves to our Private DNS, namely it shows the IPs listed in our Private DNS. But, when they're on browsers, it contacts the Public DNS instead of Private for some inexplicable reason.

We've tried clearing system cache, browser cache--everything, to no avail. We were wondering if anyone else has encountered the same issue and whether or not you've found a solution for this. This seems to be a client-side issue on the MacOS client, hence why I am posting it here.

Post Reply