Split DNS - Is this possible?

[z0lschool]

I'm not even sure if Split DNS is the right term.

I've spent the last hour or so googling and searching through these forums, but I haven't found anything about it. Basically, I would like to be able to have users use their own DNS when they are connected to the VPN EXCEPT anything *.localnet. So, www.google.com will go to their DNS, www.corporate.localnet will go to my DNS, or at least resolve to the correct IP.

I only need to do this with a limited amount of IPs (about 15), but it would be nice to be able to find a way to transparently do this so my users don't have to edit their hosts files, but I have yet to find a way to do it.

Anyone have ideas/leads/flames?

[maikcat]

hi there,

AFAIK a system queries one dns server at a time,
if he fails to answers then it checks secondary and so on..

i dont know if you can configure your resolver like the way you want
(at least using the standard OS resolvers ,win,linux).

but you can do various thing on server side....

what exactly are you trying to accomplish?

Michael.

[janjust]

this also depends on the client OS - some OSes have support for domain-specific DNS servers (MacOS , Linux) , I'm not sure if it's possible on Windows.

[dropje]

If you're trying to resolve the correct IP (prolly internal) you could setup a DNS server with a zone .localnet and push it over the VPN.
All other stuff outside your zone you recurse, for example, to Google's DNS and will resolve to the correct external IP.

In our company we use PowerDNS combined with PowerAdmin which is easy to setup, uses a database and is extremely fast.

[z0lschool]

Goodness, I don't know where my time has went. Sorry it has taken me so long to come back around and explain what I am trying to do:

Basically, we host a small environment that is only accessible via the OpenVPN set up that we have. I know we are can force our users to use our DNS, but if possible we would like to find a way to resolve only for some domains, but it doesn't look like that is going to be possible.

Recursing everything seems to be our only solution, which we would like to avoid since we don't want to know what people are going to, and don't want to be passing on user-space DNS lookups, as these are students connecting to the VPN, and god only knows what kind of insane DNS requests we'd be sending out.