QuickVPN - How to point to an external DNS server?

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by OpticalMan, Jan 21, 2007.

  1. OpticalMan

    OpticalMan LI Guru Member

    Well, I’ve been holding my breath for a long time now for Linksys to allow QuickVPN users to set an alternate DNS server. Currently, the client is forced to use the hosting router IP address as the DNS server. I realize that anyone can manually change the DNS server after connecting in the network adapter properties window, but that is a bit much to ask of remote users to do every time. I needed an alternative automatic solution.

    So, I have investigated more into the handshaking process of QuickVPN and have arrived at a temporary solution until Linksys implements something for real. I created an additional program that when installed on a QuickVPN client computer it will allow a custom DNS IP address to be used (configured with an INI file). The program basically intercepts the wget command and adjusts the vpnserver.conf file to the appropriate DNS server IP address.

    Here is a link to the program to download. The instructions to install & configure it are inside the zip file.


    I have tested this with the RV082 router only. I presume it should work with all the QuickVPN enabled routers.

  2. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    That's a neat solution!

    To paraphrase, you don't want to use the DNS server on the VPN server’s network and would like the choice to resolve domain names to IP addresses locally. After the IP address is resolved from the domain name, the VPN client will choose whether the destination IP address in the packets represents the remote VPN gateway’s network or can be sent in the clear to the Internet. If you resolve the address on an external DNS, the IP address will almost invariably resolve to an address which is publically routable on the Internet...sending your traffic out to the Internet.

    Personally, I see this as a security issue. In fact, resolving the domain name 1st at the remote gateway’s DNS server makes sense since the domain name might resolve to an IP address on the inside of the remote network. If the remote network is running its own DNS server (like mine is) to resolve domains that are managed at the remote network (like breezy.ca in my case), then the IP address will be resolved properly to an address reachable inside the VPN. The packets will naturally travel in the VPN, therefore making the whole solution more secure. This is good design in the Quick VPN solution. I suppose one-size-fits-all solutions don't work for everyone however. It would be neat if they had a check box in the VPN setup on the gateway to turn off the use of the server's own DNS server if the user requires this. I wouldn't hold your breath that this feature will find its way into QuickVPN, however, since it is likely to confuse most users.

    To recap:
    1) give the VPN gateway a "chance" to resolve the domain name 1st, then;
    2) if it doesn't resolve to the network protected by the VPN, route the traffic to the Internet (or wherever);

  3. joby

    joby LI Guru Member

    Hi OpticalMan,

    Been struggling to find a solution to this "alternate DNS server" issue. This looke like an interesting little workaround. My only question is which version of Quick VPN has it been tested with - we're using 1.1.00 which has the certificate bits in it.

    I tried another vpnserver.conf fix (change the dns and make it read only), but this doesn't work as the file needs to be writeable to negioiate the cert. security by the looks of things - I assume this fix worked for the pre-cert versions of QuickVPN.

    Would be grateful for the info as this is so close to a very nice solution, just need to change the DNS for a 100% working system :thumbup:
  4. QuimaxW

    QuimaxW Network Guru Member

    Is this file hosted anywhere else? When I attempt to download it I get a server error of "file not found"
  5. Disman_ca

    Disman_ca Super Moderator Staff Member Member

    Nope not that I know.
  6. QuimaxW

    QuimaxW Network Guru Member

    I wonder if anyone has a copy they'd be willing to send me then.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice