Split Tunneling
Split tunneling is a computer networking concept which allows a user to access dissimilar security domains like a public network (e.g., the Internet) and a local LAN or WAN at the same time, using the same or different network connections. This connection state is usually facilitated through the simultaneous use of a Local Area Network (LAN) Network Interface Card (NIC), radio NIC, Wireless Local Area Network (WLAN) NIC, and VPN client software application without the benefit of access control.
For example, suppose a user utilizes a remote access VPN software client connecting to a corporate network using a hotel wireless network. The user with split tunneling enabled is able to connect to file servers, database servers, mail servers and other servers on the corporate network through the VPN connection. When the user connects to Internet resources (Web sites, FTP sites, etc.), the connection request goes directly out the gateway provided by the hotel network. However, not every VPN allows split tunneling. Some VPNs with split tunneling include Private Internet Access (PIA), ExpressVPN, and Surfshark.
Context
In mycompany.com we have a lot of internal networks that are available only via VPN.
These are on the same domain mycompany.com, but in different networks:
10.165.248.252 - git.mycompany.com
10.236.142.18 - jira.mycompany.com
152.68.167.141 - test.mycompany.com
Is there any possibility to provide the top level domain (mycompany.com) instead of single links in domain for vpn tunneling? e.g. instead of providing single subdomains
- git.mycompany.com
- jira.mycompany.com
- test.mycompany.com
Notes
Use a specific DNS nameserver for a given domainGiven
- I use a VPN to connect to my work network
- I’m on a Linux computer that uses systemd-resolved
- I have a work domain called
example.com example.comis hosted by both public and private DNS nameservers- Both public and private nameservers claim to be authoritative for
example.com - There are no public hosts in
example.com - The public resolvers for
example.comresolve all queries to a parked hosting webpage - The private resolvers for
example.comcontain all correct DNS records for private hosts
I need to
- Resolve private hosts in
example.comwhen connected to VPN
Ref
Solution
思路1
Use dnsmasq.
It’s very flexible and allows all kinds of different setups for this, including directing specific domains to specific DNS upstreams. Since most corporate networks rely on a small handful of primary domains, this usually works fine, and it’s simple to setup without polluting your local hosts file.
The configuration directive is something like:
server=/example.com/10.0.0.0
Then, any requests for example.com or its subdomains will be forwarded to 10.0.0.0. Setting more than one server for the same domain will use them in order, so another line with server=/example.com/8.8.4.4 will use Google DNS if the internal DNS lookup fails. Makes it fairly seamless.
Note that NXDOMAIN isn’t a failure, it’s an authoritative “there’s nothing there”. There are additional configuration parameters that can be set to make dnsmasq cascade on NXDOMAIN values. Check out the manual: http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html
Reference
- https://en.wikipedia.org/wiki/Split_tunneling
- https://github.com/dlenski/vpn-slice/issues/4
- https://github.com/dlenski/vpn-slice/issues/15
- https://github.com/dlenski/vpn-slice/issues/68
- https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215383-asa-anyconnect-dynamic-split-tunneling.html
- https://woland.com/2020/03/30/dynamic-split-tunneling-a-covid-19-best-practice/