0

NextDNS - VPN Split Horizon

Hi,

I am using a VPN to protect access to my private network resources such as demo websites for client presentations. I have recently started using NextDNS and I am using Rewrites in NextDNS profiles to push any HTTPS traffic for my private workloads over the VPN e.g.

*.private.demosite.com -> 10.11.12.13

When my VPN is connected this works fine and I can access my work loads. When the VPN is disconnected, then I cannot connect. I am happy with that set up.

The issue I see (and perhaps I am overthinking this) is when my users are on a customer site they often have to connect to the customer guest wifi and this is often on private IP ranges, so I can not rewrite  all private traffic over to the VPN as this means my user may not be able to connect to a login page if it is returned on an IP address range already added as rewrite.

Also, if travelling my users often have to connect to hotel wifi (where they all know to connect via VPN). However, there a use case when a user could try to connect to a my private demo sites, whilst not connected to the VPN, so therefore *.private.demosite.com will try to be resolved by nextdns. If there is another server or man in the middle on the same IP as *.private.demosite.com, my user may be retuned something they should not be clicking on. I would expect to see the HTTPS certificate authentication fail and the users provided a warning of the sites unsafe status, but this could be ignored by the user.

Is there any solution to this ? Thanks in advance for any support.

2 replies

null
    • Failsafe
    • 3 days ago
    • Reported - view

    Forgive me if I'm thinking about this too simplistically, but is there a reason not to just force all your users' traffic through the VPN when connected via VPN? If you did that, you could enforce that no outside DNS is used and then you can control the *.private.demosite.com (etc.) domain resolution to IPs that resolve only when VPN connected.

      • evi191
      • 3 hrs ago
      • Reported - view

      Hi  thanks for your reply and suggestion. Yes, I could do as you suggest, and do🙂 However, the users do not need to be on the VPN all the time as many do not need to connect to private resources or, when they do it is for limited time. I really want to protect the use case where a user has no need to be on the private  network (therefore not using up VPN band width) but there should still be dns filtering in place, which is where NextDNS would come in.

Login to reply

Content aside

  • 3 hrs agoLast active
  • 2Replies
  • 64Views
  • 2 Following