Starting with Windows 8.1, Microsoft introduced a new feature for resolving hostnames to IP addresses. Whenever an application wants to resolve a hostname, a DNS query is sent out over all network adapters found in the system. The answer from the first adapter that responds to the query is used.
If a user wants to tunnel all traffic over a VPN in a secure manner, then this feature is not desirable. In a hostile network environment, a bogus IP address could be returned or even the fact that a DNS lookup for a particular host is made could be considered dangerous.
Starting with OpenVPN 2.3.10, a new option, block-outside-dns
, was added to suppress this feature. In this recipe, we will show how to use this option.
Set up the client and server certificates using the first recipe from Chapter 2, Client-server IP-only Networks. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.11. The client computer was running Windows 8.1 and OpenVPN 2.3.11. Keep the configuration file, basic-udp-server.conf
, from the Server-side routing recipe in Chapter 2, Client-server IP-only Networks at hand. For the client, keep the configuration file, basic-udp-client.ovpn
, from the Using an ifconfig-pool block recipe in Chapter 2, Client-server IP-only Networks at hand.
[root@server]# openvpn --config basic-udp-server.conf
basic-udp-client.ovpn
configuration file:verb 5 block-outside-dns
example9-9.ovpn
. Start the OpenVPN client with this configuration.In this log file, the Windows Filtering Platform (WFP) is initialized and special rules are added to block DNS traffic.
... Closing TUN/TAP interface ... Uninitializing WFP
With the block-outside-dns
directive, a set of Windows filtering rules are created after the VPN connection has been established. These filter (or firewalling) rules prevent DNS lookups from being sent over all network adapters found on the Windows client, except for queries made over the TAP adapter. When the OpenVPN connection is terminated, the WFP rules are removed.
3.15.25.131