Page 1 of 1

Local vs VPN DNS Name Resolution

Posted: Sat May 24, 2014 7:28 pm
by NOYB
OpenVPN server set up to force "all" traffic through tunnel and provide DNS server to clients.
Although this works. The clients still resolve names with the local DNS also.

If an address is returned by both the VPN DNS and local DNS, which one is used by the client?
I'm guessing the first one returned would be used.

But since the connection is actually going to be through the VPN it seems that would be the proper address to use.

Is there anyway to prevent queries for non-local names from being made to the local DNS?
With out local access being blocked of course.


Client config on Windows 8.1 Pro

Code: Select all

dev tun
persist-tun
persist-key
cipher AES-256-CBC
tls-client
client
resolv-retry infinite
remote sub.domain.tld 1194 udp
verify-x509-name "OpenVPN Server Certificate" name
auth-user-pass
pkcs12 pfsense-udp-1194-USER1.p12
tls-auth pfsense-udp-1194-USER1-tls.key 1
ns-cert-type server
comp-lzo

Server Config on pfSense 2.1.3 (FreeBSD 8.3-RELEASE-p16)

Code: Select all

dev ovpns2
dev-type tun
tun-ipv6
dev-node /dev/tun2
writepid /var/run/openvpn_server2.pid
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local 49.54.161.77
tls-server
server 192.168.22.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
username-as-common-name
auth-user-pass-verify /var/etc/openvpn/server2.php via-env
tls-verify /var/etc/openvpn/server2.tls-verify.php
lport 1194
management /var/etc/openvpn/server2.sock unix
max-clients 9
push "route 192.168.2.0 255.255.255.0"
push "dhcp-option DOMAIN noyb"
push "dhcp-option DNS 192.168.2.1"
push "redirect-gateway def1"
client-to-client
ca /var/etc/openvpn/server2.ca 
cert /var/etc/openvpn/server2.cert 
key /var/etc/openvpn/server2.key 
dh /etc/dh-parameters.4096
tls-auth /var/etc/openvpn/server2.tls-auth 0
comp-lzo
persist-remote-ip
float
topology subnet

Re: Local vs VPN DNS Name Resolution

Posted: Wed May 28, 2014 5:40 pm
by NOYB
This appears to be a security hole for OpenVPN Windows clients. Public hotspots can provide name resolution addresses that sends even OpenVPN Windows clients to malicious sites.