You are here

OpenVPN DNS alternatives

The "Informatics-InfNets-Forum" and "Informatics-EdLAN-Forum" configuration files and the corresponding -AT versions tunnel only Informatics traffic and EdLAN traffic respectively, leaving all your other traffic to go out through your ISP's default route.

We normally recommend those, as they're generally more efficient and robust, but they do have the potential issue that traffic to other sites will have your ISP-provided address, and so anyone basing authorization decisions on that address won't see you as being a University person. "Informatics-AllNets-Forum" (and ...-AT) is provided as a workaround for that situation. It tunnels all traffic over the OpenVPN tunnel, and so to the outside it appears that you have an EdLAN address. Unfortunately that does have some side-effects.

One is when your machine is configured at home to use your ISP's DNS resolvers. Using Informatics-AllNets-Forum, what will then happen is that the machine will try to send your DNS queries to your ISP's resolvers using your EdLAN address, and those resolvers will quite reasonably ignore you as a security measure. (This actually used to be less likely, but ISP's seem to have started to get a bit of a clue and have been tightening things up.)

So that's not going to work, but there are a few workarounds available. We can't really advise on how relatively easy they would be, as they depend so much on particular systems and circumstances, but here they are in no particular order:

  • If you are running on a Windows machine, or on iOS or Android, be sure to use the platform-specific configuration files. These set additional options to pin the routing to your ISP's resolvers or to use an Informatics resolver. Note that this doesn't currently work for Linux or MacOS.

  • You may be able to use your ADSL or cable box as a DNS proxy. Your machine has a route to it (as otherwise nothing at all would be working) and the box will have its own routing tables which will allow it to send to your ISP's resolvers with your ISP-provided address. This is probably the simplest solution, if you can do it, but unfortunately not all boxes can and you might not have enough adminstrative rights to it to be able to do any necessary setup (e.g. DHCP).

  • You could edit the Informatics-AllNets-Forum file to add an explicit route to your ISP's nameservers. If you can give us their addresses in a support request then we should be able to tell you what line(s) to add and where.

  • You could set up your machine to use the Informatics DNS resolvers instead of your ISP's. At the time of writing would be a possible address to use. We really don't recommend this approach, though, as the address is NOT guaranteed to stay the same; and our resolvers will only answer you if they see your requests coming from a tunnelled address, so your DNS would break when you were not using OpenVPN. On a Mac, using the "location" mechanism may help avoid this latter problem.

  • As an alternative to the above, if you don't mind the privacy implications you could use one of the public resolvers, such as google's or

  • You could run a caching nameserver directly on your machine. This would then go and do all the necessary DNS queries itself, rather than relying on some outside body. That's easy on Linux, for example, and is what we would recommend there, but may not be quite so straightforward for Windows and Macs.
Last reviewed: 

System Status

Home dirs (AFS)
Other services
University services
Scheduled downtime

Choose a topic