Cisco VPN having DNS problems
Kenneth Porter
shiva at sewingwitch.com
Fri Jul 23 20:10:05 UTC 2004
--On Friday, July 23, 2004 11:06 AM -0500 joel schaubert
<joel4700 at sbcglobal.net> wrote:
> 1) have others seen problems with DNS over cisco VPN with FC2?
Yes! I suspect it's a configuration issue at the Cisco end, but I don't
control that end and can't be sure.
One problem with Cisco's VPN is that it insists on replacing resolv.conf
with one that references the peer's DNS servers and adds the peer's domain
name to the search list. I don't want that, so I "chattr +i
/etc/resolv.conf" to make the file immutable. (Even root can't overwrite
without removing this flag.)
My regular resolv.conf searches my LAN domain and consults BIND running on
the same box.
I find that with the VPN up BIND can't resolve PTR records (reverse
lookups) and some forward lookups, notably those for the peer's external
domain (which is the same as his internal domain) intermittently fail.
Alas, that blocks email in weird ways, particularly email between me and
the peer.
The other admin has removed WINS and DNS server listings on his end, but
I'm still seeing the problem, so I'm not sure what I can do now. A query on
comp.dcom.cisco suggested that "split DNS" be enabled at the Cisco end.
Kernel is 2.6.5-1.358 (custom recompiled to add BSD PTY support). Client is
4.0.4B.
I thought I could diagnose this with tcpdump, but it won't dump packets
going to the Cisco interface, claiming it's down. The packets don't show up
in a dump of my external interface (eth1).
Curiously, I can query PTR records if I directly query a known
authoritative server for the netblock with dig, but recursive query with
BIND doesn't work.
More information about the users
mailing list