You are here

OpenVPN DNS alternatives

Printer-friendly versionPrinter-friendly version

The "Informatics-only-Forum" and "Informatics-via-Forum" configuration files tunnel only Forum traffic and EdLAN traffic respectively, leaving all your other traffic to go out through your ISP's default route.

We normally recommend those, as they're generally more efficient and robust, but they do have the issue that traffic to other sites will have your ISP-provided address, and so anyone basing authorization decisions on that address won't see you as being a University person. "Informatics-all-Forum" is provided as a workaround for that situation. It tunnels all traffic over the OpenVPN tunnel, and so to the outside it appears that you have an EdLAN address. Unfortunately that does have some side-effects.

One is when your machine is configured at home to use your ISP's DNS resolvers. Using Informatics-all-Forum, what will then happen is that the machine will try to send your DNS queries to your ISP's resolvers using your EdLAN address, and those resolvers will quite reasonably ignore you as a security measure. (This actually used to be less likely, but ISP's seem to have started to get a bit of a clue and have been tightening things up.)

So that's not going to work, but there are a few workarounds available. We can't really advise on how relatively easy they would be, as they depend so much on particular systems and circumstances, but here they are in no particular order:


  1. If you are running on a Windows machine, be sure to use the platform-specific configuration files. These set an additional option to pin the routing to your ISP's resovers. Note that this doesn't currently work for Linux or Macs.

  2. You may be able to use your ADSL or cable box as a DNS proxy. Your machine will have a route to it (as otherwise nothing at all would be working) and the box will have its own routing tables which will allow it to send to your ISP's resolvers with your ISP-provided address. This is probably the simplest solution, if you can do it, but unfortunately not all boxes can and you might not have enough adminstrative rights to it to be able to do any necessary setup (e.g. DHCP).

  3. You could edit the Informatics-all-Forum file to add an explicit route to your ISP's nameservers. If you can give us their addresses in a support request then we should be able to tell you what line(s) to add and where.

  4. You could set up your machine to use the Informatics DNS resolvers instead of your ISP's. At the time of writing 129.215.33.247 would be the address to use. We really don't recommend this approach, though, as the address is NOT guaranteed to stay the same and our resolvers will only answer you if they see your requests coming from a tunnelled address. On a Mac, using the "location" mechanism may help avoid this latter problem.

  5. As an alternative to the above, if you don't mind the privacy implications you could use one of the public resolvers, such as google's 8.8.8.8 or 8.8.4.4.

  6. You could run a caching nameserver directly on your machine. This would then go and do all the necessary DNS queries itself, rather than relying on some outside body. That's easy on Linux, for example, and is what we would recommend there, but may not be quite so straightforward for Windows and Macs.
Last reviewed: 
06/05/2017

System Status

Home dirs (AFS)
Network
Mail
Other services
Scheduled downtime

Choose a topic