Split view DNS and multiple VPN connections


I have the following Pritunl configuration:

  • Multiple AWS accounts, each with its own set of public and private Route53 zones. For example account1 - .client1.company.co with api.client1.company.co in the public zone and admin.client1.company.co in private zone. Same for another account - api.client2.company.co and admin.client2.company.co;
  • Each AWS account has its own Pritunl instance, there are no peering connections between accounts;
  • Each Pritunl instance uses build-in DNS from AWS DNS attributes for your VPC - Amazon Virtual Private Cloud followed by;

This setup works fine as long as a user connects to a single VPN at a time. However, if the user connects to both VPNs, only the second connection will be able to resolve private zone addresses.

Could you please advise about best practices with AWS split-view DNS and Pritunl? Are there any settings that could help in this case?

Here are the options that I have considered, each with its set of downsides:

  • Associating all VPC with all private zones. This works, but does not scale, as it requires a quadratic count of associations,
  • Create a special infra VPC, and associate it with all private zones. Set up DNS there and use this DNS in all VPNs. Unfortunately, it seems that it’s impossible to attach public IP to a Route53 inbound endpoint, so maybe a self-hosted DNS server is still an option;
  • Create peering and use Route53 rules to forward DNS queries between accounts. I would like to avoid peering between accounts for security reasons. In this case, looks like the schema with multiple VPN servers becomes redundant. If there is peering, a shared VPN should work fine.

There currently isn’t any options in Pritunl for handling multiple DNS servers with the Pritunl Client. A CoreDNS could be setup to handle the advanced configuration then the IP address of this server can be used for the DNS server on all the Pritunl configurations.

Thank you! I will try CoreDNS!