Page 1 of 1
DNS configuration for connected network
Posted: Wed Jan 05, 2022 3:10 pm
I am looking for a way to configure DNS so that all devices on a connected network can resolve the DNS records that I've added in the OpenVPN admin portal.
I have set up two connected networks using these instructions https://openvpn.net/cloud-docs/connecti ... onnectors/
. Site-to-site routing is working fine from all devices on both networks. On the two Windows 2019 servers that are running the OpenVPN connector the DNS resolution is working fine locally. I can resolve my OpenVPN DNS records as well as public names. On all other network devices, the OpenVPN names cannot be resolved.
Note: The WIndows servers are only providing routing to the OpenVPN network, and are not set up as NAT servers. NAT is provided by the local routers.
As a work-around, I have added local DNS records in each of the routers so that the name resolution works, but this doesn't scale up well. Ideally I want to be able to manage DNS records using the admin portal only and not have to duplicate the effort on all connected routers as well.
Is there a recommended way to accomplish this for connected networks?
Re: DNS configuration for connected network
Posted: Thu Jan 06, 2022 1:54 pm
The OpenVPN Cloud DNS server is internal-only. Meaning that the records you put in here are not broadcast to the entire world, but is only available in the DNS servers in OpenVPN Cloud. So if you want to resolve DNS records that exist in these servers, then you are going to have to ensure that those records get resolved through the DNS server in OpenVPN Cloud.
If your computers are not directly connected to OpenVPN Cloud, but are connected to a network that has access to OpenVPN Cloud through a network host connector, then the OpenVPN Cloud DNS servers are not known to these indirectly connected computers.
Usually, routers appoint themselves as the DNS server for the local network, and they function as a relay to your Internet service provider's DNS servers. Or they simply take the DNS server addresses provided by your Internet service provider and via DHCP have the computers in the network use those DNS servers directly.
Since you use Windows 2019, a good option could be to use these servers as DNS servers for your network. You might already be doing so. Most routers allow you to configure a DNS server to push to DHCP clients in the network. This DNS server address could be the Windows 2019 server you're running. And on the Windows 2019 server you can configure the DNS server to resolve addresses through the OpenVPN Cloud DNS servers. The client computers in your network would then use the Windows 2019 machine as the DNS server, and that DNS server then forwards requests to OpenVPN Cloud DNS servers.
Another option is to use your router to provide the OpenVPN Cloud DNS servers as the DNS servers for your DHCP client devices in your network. Then all computers in your network would use the OpenVPN Cloud DNS servers. You'd need to ensure the computers are able to reach these DNS servers through the network somehow of course. Since you have site-to-site working this shouldn't be an issue.
You could also configure the router to use as upstream DNS server the OpenVPN Cloud DNS servers. And use the router as the network's DNS server.
Something to consider - if you're using DNS record in OpenVPN Cloud that are also published publicly, and you use both public DNS servers and OpenVPN Cloud DNS servers, then you might get different results depending on which one is queried. if the domains you use are not publicly known however then you should always end up with the correct private address, since only OpenVPN Cloud DNS servers know those domains. Also consider that if you use private domain names like I just mentioned and your client computers are using another DNS server, these private domain names might 'leak' to that other DNS server. This may or may not be an issue depending on your situation. If you have for example supersecret.domain.name in OpenVPN Cloud and you use a computer in your network that is indirectly connected to OpenVPN Cloud, and it is using a public DNS server, then that public DNS server would get a request to resolve supersecret.domain.name. In most cases leaking a domain name is not an issue, but it's something to be aware of.
The choice of which way to go - either to configure the router's upstream DNS server to be the OpenVPN Cloud DNS server, or to configure the DHCP server to hand out the DNS server addresses of OpenVPN Cloud DNS servers to your DHCP clients in your network, or to configure the Windows 2019 DNS server to be your main DNS server - depends entirely on how you like to have things set up and the capabilities of your router, and indeed on how things are running now in your network. Usually, but not always, Windows Servers are the main DNS server in the network.