Your IP:

Our Forums Have Moved!

Visit our new forums at https://community.opendns.com/forums/ to post on topics and read the latest content. These forums are now read-only archives.

K-12 Forums

Talk with other K-12 network administrators in your state.

Or see all states.

Categories

Vanilla 1.1.4 is a product of Lussumo. More Information: Documentation, Community Support.

This discussion has been inactive for longer than 30 days, and is thus closed.
    • CommentAuthordans2992
    • CommentTimeJun 23rd 2011
     permalink
    We subscribe to the "enterprise" package. What is the best way to propogate the nameserver changes to our "road-warrior" laptops in the easiset possible way? I want to have minimal install work for them, as they are "non-technical". Also, when they are in the office, I need them to point to our DNS servers.

    --Dan
    • CommentAuthoropendnsjp
    • CommentTimeJun 23rd 2011 edited
     permalink
    Do you mean you want to keep the OpenDNS Enterprise features working, regardless of the laptop being inside your LAN or away from the office?

    The only reliable solution is to set your internal DNS server(s) statically, and force the user to VPN into your network, without the VPN connection the laptop can't reach your internal DNS servers, and thus can't go anywhere on the Internet.
    ...this can be a headache for users that use public hotspots or libraries as their Internet connection away from the office, some won't get on at all
    ...the VPN endpoint will have to connect using an IP address, not a DNS name

    No matter how else you try and accomplish this, it will be a real mess.

    One manual way (but this is susceptible to user error, and requires local admin rights) is create desktop shortcuts to change the config...

    Name the two network adapters on each machine LAN and WLAN

    Create shortcut "I'm at work" to batch file...
    @ECHO OFF
    CLS
    ECHO.
    ECHO Working.
    ECHO.
    netsh int ip delete dns "LAN" all
    netsh int ip set dns "LAN" static 192.168.1.8 none
    netsh int ip add dns "LAN" 192.168.1.9
    netsh int ip delete dns "WLAN" all
    netsh int ip set dns "WLAN" static 192.168.1.8 none
    netsh int ip add dns "WLAN" 192.168.1.9
    ipconfig /flushdns
    ECHO.
    ECHO Done.
    SLEEP 2
    EXIT

    Create shortcut "I'm out of the office" to batch file...
    @ECHO OFF
    CLS
    ECHO.
    ECHO Working.
    ECHO.
    netsh int ip delete dns "LAN" all
    netsh int ip set dns "LAN" static 208.67.222.222 none
    netsh int ip add dns "LAN" 208.67.220.220
    netsh int ip delete dns "WLAN" all
    netsh int ip set dns "WLAN" static 208.67.222.222 none
    netsh int ip add dns "WLAN" 208.67.220.220
    ipconfig /flushdns
    ECHO.
    ECHO Done.
    SLEEP 2
    EXIT
    • CommentAuthordans2992
    • CommentTimeJun 23rd 2011
     permalink
    Yikes, sounds like a nightmare. I don't think my users could handle it. I wonder if you can define the OpenDNS servers statically, then have them re-direct to your own internal nameservers when they receive queries for your AD domain. If course, this would only work while they are in the office, but that's OK.

    --Dan
    • CommentAuthoropendnsjp
    • CommentTimeJun 23rd 2011
     permalink
    You're on the right track, but then there are still two flaws to overcome...

    - I have yet to find a firewall that can handle that redirection

    - when the laptop is out of the office and using OpenDNS servers directly, how do you ensure they are using the settings from your OpenDNS account? have them run the updater locally? bad idea - you can inadvertently change/register someone else's network to your account. Could you get away with using OpenDNS family shield IPs for when they are away? possibly, but this doesn't get you the other features of OpenDNS Enterprise.

    The "real mess" scenario I was referring to is this, imagine that...

    Your internal DNS servers are 192.168.1.8 and .9
    ...these are AD integrated, and only available to the inside LAN

    You run another DNS server at 192.168.1.10 and .11
    ...these are not AD integrated, and have assigned (through port forwarding/firewall rules) an external static IP for each, let's say that's
    192.0.43.10 and .11

    ...all 4 servers are located inside your company and have forwarders set to OpenDNS - the external static IP's that each server comes from (referring IP's or NAT IP) are registered in your OpenDNS account

    You set all 4 DNS servers statically on your client computers in this order...
    192.168.1.8
    192.168.1.9
    192.0.43.10
    192.0.43.11

    When computers are inside, they are using the internal ones

    When computers are outside, the first two fail and the machine should eventually decide to use the later two, which actually routes all the way back to your company, and thus the DNS traffic appears as if it's originating from your company and benefits from the settings of your OpenDNS account.

    ...the problem with all of this is Windows likes to switch around which DNS server it's using, for no discernible reason at all, resulting in random "page cannot be found" and other problems.

    I too am curious if others have solved this with something I'm not thinking of.

    I think the "demand the use of corporate VPN, even while your away" is the only reliable method, but it also assumes the company owns the laptop - hard to justify making anyone succumb to this on their personal equipment.
    • CommentAuthorrotblitz
    • CommentTimeJun 23rd 2011 edited
     permalink
    @dans2992
    As you're an Enterprise user, open a case with OpenDNS through your enhanced support channels. They may have a solution for you.

    If not, come back, and I will point you out a possible solution.
    Thankful People: zelus

This discussion has been inactive for longer than 30 days, and is thus closed.