[c-nsp] VPN-Client, how to work around ISPs faking NXDOMAIN responses

Marc Haber mh+cisco-nsp at zugschlus.de
Mon Jun 22 09:59:14 EDT 2009


Hi,

in Germany, it has become common that the major consumer ISPs do not
answer DNS requests for non-existing hostnames with NXDOMAIN, but
deliver a fake A record instead which points to a web server which
delivers a web page which says helpful things like "the page you
requested does not exists, why don't you try the search engine of our
partner vendor".

Unfortunately, this breaks setups that rely on searchdomains. For
example, if Example Inc. has its Clients configured to search inside
domains ".example.com", a user which just enters "intranet" into her
browser was correctly led to intranet.example.com. With a "modern"
ISP, the non-qualified domain name "intranet" will lead to the ISP
search help page.

Same thing happens when a Windows box is connected to a corporate
network via the Cisco VPN client since the DNS servers configured from
the VPN tunnel obviously do not override the DNS servers that are
assigned to the LAN link, but only amend them. So, the ISPs "search
help" breaks the use of unqualified domain names via searchdomains
even when the client is connected to the VPN and the default route
points to the VPN tunnel.

Can I somehow configure the Cisco router so that the VPN Client
actually _overrides_ the DNS servers that are configured on the Client
so that the ISPs name servers are never queried as long as the tunnel
is up?

Actually, how does the client reach the ISP's name servers if the
default route points into the tunnel?

Any hints will be appreciated.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190


More information about the cisco-nsp mailing list