A frequently recurring question on the OpenVPN users mailing lists is related to the DNS name resolution on Windows after the VPN connection is established. If the OpenVPN server pushes out a new DNS server, then this is automatically picked up by the OpenVPN client, yet the name resolution does not always work right after establishing the connection. This has little to do with OpenVPN and more to do with the way the Windows DNS caching service works. As this question comes up quite regularly, a new directive, register-dns
, was added in OpenVPN 2.1.3. When this directive is specified, OpenVPN updates the Windows DNS cache and registers the VPN IP address in the Windows DNS tables. As this feature was introduced only recently, this recipe will also show how the Windows DNS cache can be updated using a script when the VPN connection is established. Some users disable the DNS caching service altogether, which seems to have little impact on the operating system, except for a small performance penalty when using a slow network.
Set up the client and server certificates using the first recipe from Chapter 2, Client-server IP-only Networks. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.11. The client computer was running Windows 7 SP1 and OpenVPN 2.3.11. Keep the server configuration file, example9-2-server.conf
, from the Linux: using pull-resolv-conf recipe at hand, as well as the client configuration file, basic-udp-client.ovpn
, from the Using an ifconfig-pool block recipe in Chapter 2, Client-server IP-only Networks.
[root@server]# openvpn --config example9-2-server.conf
basic-udp-client.ovpn
configuration file:register-dns
example9-5.ovpn
. Start the OpenVPN client.The OpenVPN GUI status window will show that the Windows service dnscache
has restarted:
After the VPN connection is established, verify that the name resolution is using the VPN-supplied DNS server, for example, by using the nslookup
command.
When the VPN connection is established, the OpenVPN client software sends a DHCP packet to the TAP-Win32 adapter with the IP address, default gateway, and the other network-related information, such as a new DNS server. This information is picked up by the operating system but the local DNS caching service is not notified immediately. The register-dns
directive executes the following commands:
net stop dnscache net start dnscache ipconfig /flushdns ipconfig /registerdns
By forcing a restart of the DNS caching service, the DNS server supplied by the VPN connection is used immediately.
3.137.200.150