wiki:Pushing-DNS-to-clients

Version 11 (modified by tct, 2 years ago) (diff)

--

Using DNS servers pushed to clients


This page describes how to use pushed DNS servers in the client.

Contents:

  1. Using DNS servers pushed to a Linux client
  2. Using DNS servers pushed to a Windows client
  3. Additional notes

Using DNS servers pushed to a Linux client

Linux must use an external script to update the DNS servers in /etc/resolve.conf

Most Distro OpenVPN packages include /etc/openvpn/update-resolv-conf.sh script.
Source: https://github.com/alfredopalhares/openvpn-update-resolv-conf

Call the script by adding this to your client config file:

script-security 2
up /etc/openvpn/update-resolv-conf.sh
down /etc/openvpn/update-resolv-conf.sh

Note: The script may also be called update-resolv-conf without a .sh suffix.

systemd-resolved

If you use systemd-resolved then use this script:

https://github.com/jonathanio/update-systemd-resolved


Using DNS servers pushed to a Windows client

OpenVPN 2.4

Windows uses the OpenVPN built-in DHCP server to update the TAP adapter's DNS servers and no additional steps are required.

This does require that the client is run using the OpenVPN-GUI and that the OpenVPN InteractiveService for Windows is started.

To prevent DNS leaks at the client use --block-outside-dns.

OpenVPN 2.3

Windows uses the OpenVPN built-in DHCP server to update the TAP adapter's DNS servers and no additional steps are required.

This does require that the client is run as an administrator user.

This version does not support --block-outside-dns


Additional notes

Linux notes

If the client is run using --user and --group to drop the process privileges then the --down script will fail and leave the client DNS in an undefined state.

The recommended way to resolve this is to use the openvpn-down-root.so plugin module.


return to top