Discussion:
anyone generating location-specific tinydns values?
Jason Haar
2010-01-02 03:46:20 UTC
Permalink
Hi there

We have a world-wide distribution of VPN servers that I'd like to use
tinydns to provide access to the "closest" one WRT the client (really
the client's DNS server - close enough). ie "vpn.our.domain" would
return a single IP that changes based on the Internet location of the
client. The hard part is actually associating random Internet addresses
with location of course.

Has anyone actually done this? (or approximated it). I can see how to
figure this out myself by using existing IP data against geoiplookup or
the likes, but was wondering if anyone has turned this into a
self-learning tool that can be used to keep one's own tinydns database
current?
--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Alejandro Mery
2010-01-02 12:03:00 UTC
Permalink
Thanks to opendns and google's public resolver geodns became useless :(
Post by Jason Haar
Hi there
We have a world-wide distribution of VPN servers that I'd like to use
tinydns to provide access to the "closest" one WRT the client (really
the client's DNS server  - close enough). ie "vpn.our.domain" would
return a single IP that changes based on the Internet location of the
client. The hard part is actually associating random Internet addresses
with location of course.
Has anyone actually done this? (or approximated it). I can see how to
figure this out myself by using existing IP data against geoiplookup or
the likes, but was wondering if anyone has turned this into a
self-learning tool that can be used to keep one's own tinydns database
current?
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
James Sutherland
2010-01-02 12:48:19 UTC
Permalink
Post by Alejandro Mery
Thanks to opendns and google's public resolver geodns became useless :(
Is it that bad? OpenDNS certainly tries to route your queries to your
nearest OpenDNS node, so I (in the UK) would be served by OpenDNS
resolvers in London. If I try connecting to Jason's service, he'd see
my query coming from a resolver in London and direct me to whatever
VPN node is most appropriate for London. Google seems less open with
details, but it looks like my queries there get handled in London as
well, or possibly Dublin; unless they're forwarding cache misses to
nodes elsewhere rather than resolving directly, I wouldn't expect
Google's DNS servers to cause a problem here. They do use similar
resolver tricks to route you to a nearby server themselves, so I would
be surprised if they configured their own DNS resolvers to break this!

Beyond Europe and North America, OpenDNS might be more of a problem:
someone in New Zealand using OpenDNS will be using a resolver on
another continent, which would be a problem *if* your servers have a
very different geographical distribution to OpenDNS or Google. In
Jason's case, that might well apply - I imagine he has an NZ presence,
while OpenDNS does not - but how many people choose to use a DNS
server on another continent like that?

I'd expect the geographically-aware DNS approach to work fairly well
with some exceptions, and set up a web page to try catching these by
checking the client machine's own IP address and the time zone and
locale settings from the browser against which server you've been
routed to. Alternatively, you could use vpn-username.example.com and
log "problem" cases to add exceptions - so if I, in the UK using
GoogleDNS somehow got routed to a US server the first time around, a
script could then add a special-case to make vpn-james.example.com
resolve to the UK server even when requested from a US resolver.
Probably not a huge programming task, a simple Perl script to trawl
the VPN node's logs and check for clients connecting to the "wrong"
node for their IP address. Probably a good sanity check for your geoIP
data, too; I recall one service which "intelligently" routed my
traffic to their server in Sweden rather than the US, not knowing that
the shorter straight-line distance wasn't reflected in available
network bandwidth.

I use a multi-location VPN service myself, which has a "smart"
hostname everyone can default to which usually routes people
correctly, but also provides regional hostnames (uk and us) and
specific ones (one for each node) so you can select a specific node
for any reason.


James.
Jason Haar
2010-01-02 20:59:21 UTC
Permalink
Post by James Sutherland
Is it that bad? OpenDNS certainly tries to route your queries to your
nearest OpenDNS node, so I (in the UK) would be served by OpenDNS
resolvers in London.
We should be alright. We are dealing with "road warriors" and I think
almost none of our users use any other DNS server other than the one
assigned via DHCP. That assumes ISPs don't use OpenDNS/Google of course
- that's something I haven't looked into.
Post by James Sutherland
I recall one service which "intelligently" routed my
traffic to their server in Sweden rather than the US, not knowing that
the shorter straight-line distance wasn't reflected in available
network bandwidth.
Indeed. The annoying thing is that I don't even want to use geodns. I'd
rather VPN software had more options. It would be much more efficient to
have the client simply resolve a DNS name back to (say) 12 IP addresses,
and then ping them and choose the closest one. No need for DNS tricks,
no issues with OpenDNS,etc. However, no commercial VPN software I know
of has such functionality, nor do they even support triggering scripts
during initialization - where I could have my own code to do the trick.

Things like this are possible with open source (eg openvpn) of course -
but no good for the commercial software we use :-(

Thanks!
--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Philip Jocks
2010-01-02 10:00:07 UTC
Permalink
Post by Jason Haar
Hi there
We have a world-wide distribution of VPN servers that I'd like to use
tinydns to provide access to the "closest" one WRT the client (really
the client's DNS server - close enough). ie "vpn.our.domain" would
return a single IP that changes based on the Internet location of the
client. The hard part is actually associating random Internet
addresses
with location of course.
Anders Brownworth had something about it on his site a few months ago:
http://www.anders.com/cms/276/tinydns.GeoIP.patch/djbdns/Geographically.Aware
It uses a patch to tinydns, I haven't tried it yet, though.

Cheers,

Philip
anders94
2010-04-20 01:00:37 UTC
Permalink
Hi,

You might try GeoIPDNS which is an offshoot of my blog post also mentioned
on this thread.

http://geoipdns.org/

Best,

Anders
Post by Jason Haar
Hi there
We have a world-wide distribution of VPN servers that I'd like to use
tinydns to provide access to the "closest" one WRT the client (really
the client's DNS server - close enough). ie "vpn.our.domain" would
return a single IP that changes based on the Internet location of the
client. The hard part is actually associating random Internet addresses
with location of course.
Has anyone actually done this? (or approximated it). I can see how to
figure this out myself by using existing IP data against geoiplookup or
the likes, but was wondering if anyone has turned this into a
self-learning tool that can be used to keep one's own tinydns database
current?
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
--
View this message in context: http://old.nabble.com/anyone-generating-location-specific-tinydns-values--tp26991008p28287778.html
Sent from the cr.yp.to - dns mailing list archive at Nabble.com.
Loading...