diff options
| author | David Lönnhager <david.l@mullvad.net> | 2021-09-06 17:40:04 +0200 |
|---|---|---|
| committer | David Lönnhager <david.l@mullvad.net> | 2021-09-08 15:48:05 +0200 |
| commit | edfd178e05e3f8d72d2ded32cab232f0cc8a0205 (patch) | |
| tree | c651d33c69cb67b2e90c9d99e7a1dbe926266d07 /docs | |
| parent | 5b46e3a414c79b89e2d8895703ad0c01225e9c1a (diff) | |
| download | mullvadvpn-edfd178e05e3f8d72d2ded32cab232f0cc8a0205.tar.xz mullvadvpn-edfd178e05e3f8d72d2ded32cab232f0cc8a0205.zip | |
Update split tunneling docs
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/split-tunneling.md | 27 |
1 files changed, 8 insertions, 19 deletions
diff --git a/docs/split-tunneling.md b/docs/split-tunneling.md index ff9838f81d..bda2ac5de6 100644 --- a/docs/split-tunneling.md +++ b/docs/split-tunneling.md @@ -28,7 +28,7 @@ excluded, DNS lookups **will fail** in the connecting, disconnecting, and error Some definitions of terms used later to describe behavior: * **In tunnel** - DNS requests are sent in the VPN tunnel. Firewall rules ensure they - are not allowed outside the tunnel*. + are not allowed outside the tunnel for non-excluded apps*. * **Outside tunnel** - DNS requests are sent outside the VPN tunnel. Firewall rules ensure they cannot go inside the tunnel*. * **LAN** - Same as **Outside tunnel** with the addition that the firewall rules ensure @@ -43,7 +43,7 @@ Some definitions of terms used later to describe behavior: *: On platforms where we have custom firewall integration. This is currently on desktop operating systems, and not mobile. -### Windows +### Windows and Linux | In-app DNS setting | Normal & Excluded app | |-|-| @@ -51,24 +51,13 @@ Some definitions of terms used later to describe behavior: | **Private custom DNS** (e.g. 10.0.1.1) | LAN (to 10.0.1.1) | | **Public custom DNS** (e.g. 8.8.8.8) | In tunnel (to 8.8.8.8) | -In other words: Normal and excluded processes always behave the same. This is due to the -Windows DNS cache service is the single origin for all DNS requests. +In other words: Normal and excluded processes always behave the same. This is because DNS is +typically handled by a service, e.g. DNS cache on Windows or systemd-resolved's resolver on Linux, +which is not an excluded process. -### Linux - -| In-app DNS setting | Normal app | Excluded app | -|-|-|-| -| **Default DNS** | In tunnel (to relay) | In tunnel (to relay) | -| **Private custom DNS** (e.g. 10.0.1.1) | LAN (to 10.0.1.1) | LAN (to 10.0.1.1) | -| **Public custom DNS** (e.g. 8.8.8.8) | In tunnel (to 8.8.8.8) | Outside tunnel* (to 8.8.8.8) | - -*: Only if a local DNS resolver, such as systemd-resolved is **not in use**. Because if a -local DNS resolver is in use the requests will go there and that resolver in turn will then -send requests in the tunnel. - -In other words: Normal and excluded processes behave the same in all cases except when Custom DNS -is enabled, pointed to a publicly available IP and the system is not set up to use a localhost DNS -resolver. +For the sake of simplicity and consistency, requests to public custom DNS resolvers are also sent +inside the tunnel when using a plain old static `resolv.conf`, even though it is technically +possible to exclude public custom DNS in that case. ### Android |