DNS and VPN

"Kumar V. Vemuri" <vvkumar@lucent.com> Mon, 23 March 1998 16:10 UTC

Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id LAA23318 for ipsec-outgoing; Mon, 23 Mar 1998 11:10:09 -0500 (EST)
Message-ID: <35167DB4.7A82@lucent.com>
Date: Mon, 23 Mar 1998 10:20:20 -0500
From: "Kumar V. Vemuri" <vvkumar@lucent.com>
Reply-To: vvkumar@lucent.com
Organization: Bell Labs
X-Mailer: Mozilla 3.01Gold (Win95; I)
MIME-Version: 1.0
To: ipsec@tis.com
Subject: DNS and VPN
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

All,

  I've been studying IPSec in the context of VPN for a while now, and 
  was hoping someone could answer the following questions : 
  a. consider the case where one has an IPSec client that is connected
     to multiple corporate sites through a single ISP PPP-link, with 
     packets being transmitted out in the tunnel-mode to said multiple
     sites, with IPSec originating at the PC Client and not at the ISP
     RAS. How does one now resolve DNS queries across sites ? (e.g.,
     if more than one tunnel is simultaneously active, unless a packet
     interceptor in the protocol stack intercepts a DNS request and 
     then knows which IPSec tunnel - pardon the use of the term here,
     what I mean is the stream through which tunnel mode packets are
     being transmitted - to send the query through and modifies the DNS
     address accordingly, how can the name be resolved ? Also, does not
     Win 95 permit one to have only two choices for DNS ? Does this 
     restrict the number of tunnels to a maximum of two ?). I think it
     is unlikely that the client would know, (if incomplete names were 
     used), which DNS server to use to resolve the name, and DNS
     namespaces hidden within the corporate network namespace would 
     therefore not be accessible - if it knew, and Windows did not 
     permit one to dynamically change the DNS IP, then one would have
     to intercept the packet in the protocol stack and perform client
     side NAT to get to the correct server, right ?.

     If FQDNs were used, then I guess one could argue that even though
     one was limited to two DNS IP addresses in the base OS, one could
     change IP addresses on outgoing packets to get to query transmitted
     to the appropriate corporate network destination, (or to multiple
     corporate network destinations in a parallel effort to get the
     DNS query resolved).

  b. Recently, in the mailing list, there was a reference to the SKIX
     (Symmetic Key Infrastructure Architecture) and X.17 in the context
     of symmetric manual keying in IPSec. Could someone point me to 
     the appropriate IETF group that is working on this ?

  Would appreciate any clarifications and/or pointers to information, 
  even if some of you feel these questions are trivial, since I'd 
  really like to get some answers.

Thank You.
-- 
Kumar V. Vemuri,
Member of Technical Staff,
Lucent Technologies Bell Labs.
--

DNS and VPN Kumar V. Vemuri
Re: DNS and VPN Michael Richardson
Re: DNS and VPN Bronislav Kavsan