raxod502 0 Posted ... Hi, I have configured my router to resolve ".lan" hostnames to local addresses, so that I can easily connect to devices on my LAN. However, when I connect to AirVPN, this resolution stops working, since my default DNS servers are changed from my router to AirVPN's. OK, makes sense - but how can I configure Eddie to delegate resolution back to my router specifically for ".lan" hostnames, since those will not be resolved recursively in any case, and do not need to be tunnelled through the VPN? I get the impression that this might be possible by appending custom OpenVPN directives, but the information I've found online about the configuration is spotty and inconsistent. Does anyone have pointers to relevant documentation? Quote Share this post Link to post
Tech Jedi Alex 1518 Posted ... 15 hours ago, raxod502 said: but how can I configure Eddie to delegate resolution back to my router specifically for ".lan" hostnames It is not possible to configure that. Once the DNS servers are replaced, .lan will be unresolvable. What you can do is enable custom DNS and fill the Custom answers table at the bottom with your .lan FQDNs with local addresses. Though if your network is more or less dynamic it probably will get tedious to keep up. Quote Hide Tech Jedi Alex's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post
raxod502 0 Posted ... Quote fill the Custom answers table at the bottom with your .lan FQDNs with local addresses Yeah, I think that would be a no-go, as my addresses are assigned dynamically via DHCP and the IPv6 SLAAC addresses rotate regularly per https://www.rfc-editor.org/rfc/rfc4941. Even if I set up automation to publish the mappings to AirVPN, it seems like poor practice to expose details of my private LAN in (unencrypted) account configuration like that. Quote Once the DNS servers are replaced, .lan will be unresolvable Ok, fair enough, if the configured DNS server is non-local. I guess I assumed that the DNS server that AirVPN configured my server to use would be a recursive resolver run by the AirVPN daemon to handle DNS tunnelling, but I see that it's not. Regardless, it should still be possible to achieve what I want - I could for example set up a simple recursive DNS resolver on my local machine, which would delegate ".lan" queries to my router and all other queries to the AirVPN DNS server. Does that sound right? I guess I'm just surprised this isn't a common enough ask that there's a standard solution. Quote Share this post Link to post
Staff 10398 Posted ... 9 hours ago, raxod502 said: Even if I set up automation to publish the mappings to AirVPN, it seems like poor practice to expose details of my private LAN in (unencrypted) account configuration like that. Hello! In this case you should use your hosts file, so you bypass DNS directly, no need to expose any detail in AirVPN configuration of course. You would need to disable DHCP to have static addresses for the key devices in your LAN, but we don't know if you may like this limitation. Kind regards Quote Share this post Link to post
Tech Jedi Alex 1518 Posted ... My solution when connected, which is not a solution per se, is to simply not use AirDNS. Connected or not, I always use my network's Pi-Hole which forwards my local domain to the router. My router = my ISP's DNS servers, one Quad9 address and two OpenNIC servers are configured as upstream servers. Depends on what you use a VPN for whether this is okay for you. For my use case it's sufficient. Quote Hide Tech Jedi Alex's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post
raxod502 0 Posted ... Quote My solution when connected, which is not a solution per se, is to simply not use AirDNS If I use my standard public DNS servers, then assuming I trust the operator of those DNS servers to not log my requests, is there any additional reduction in privacy compared to using AirVPN's DNS servers? I imagine in either case the DNS requests are traveling across the network unencrypted, but maybe there is some encapsulation I am unaware of that would make the default configuration more secure? (Besides the request logging policy, if applicable.) Quote Share this post Link to post
Tech Jedi Alex 1518 Posted ... 1 hour ago, raxod502 said: I imagine in either case the DNS requests are traveling across the network unencrypted Well, in the case of AirDNS the requests benefit from the encryption of the VPN tunnel, of course, so men in the middle cannot intercept DNS requests. It is safer to use AirDNS, that's for sure. Though outside of it, maybe DoT or DoH are alternatives. Quote Hide Tech Jedi Alex's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post
raxod502 0 Posted ... Quote in the case of AirDNS the requests benefit from the encryption of the VPN tunnel But, why would requests to another public DNS server not also be tunnelled by the VPN? I thought all traffic that goes through the default route ought to be tunnelled, but is DNS treated differently somehow? Of course, I guess this would only apply if I configured the public DNS servers directly on my end machines, rather than allowing them to proxy through the router, which would somewhat defeat the purpose of this whole exercise since I wanted to benefit from my router's ability to resolve local DNS names. I guess I will put configuring a local recursive resolver on my project list - that is, a resolver running on my own machine that I could point the AirVPN client at, and then that resolver would divert queries either to my router (for ".lan") or to the standard AirVPN DNS servers (for everything else). That sounds doable, right, assuming that I have the wherewithal to write the code? Quote Share this post Link to post
Staff 10398 Posted ... 6 hours ago, raxod502 said: I thought all traffic that goes through the default route ought to be tunnelled, but is DNS treated differently somehow? Hello! That's correct, the routing and the firewall rules are not infringed and the queries are not treated differently. However, you may create specific environments where DNS queries are not tunneled even when everything is properly set up and Network Lock is enabled. A typical example is when you force your router address as DNS server of the machine connected to the Internet. Network Lock won't stop the traffic to this router, thus DNS query will go to the router (outside the VPN tunnel, according to the table) and then the router will forward it on to the Internet from its physical network interface with its "real" (ISP assigned) IP address. The system is adhering precisely to what it has been told to do, so it is not a DNS leak, but at the end of the day the outcome is equivalent on the client's point of view. 6 hours ago, raxod502 said: I guess I will put configuring a local recursive resolver on my project list - that is, a resolver running on my own machine that I could point the AirVPN client at, and then that resolver would divert queries either to my router (for ".lan") or to the standard AirVPN DNS servers (for everything else). That sounds doable, right, assuming that I have the wherewithal to write the code? Yes, good solution at a first glance. BIND, dnsmasq, Unbound and PowerDNS offer this feature. Kind regards Quote Share this post Link to post
Not connected, Your IP: 216.73.216.108
Online: 34597 users - 445874 Mbit/s total BW