Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2895
  • Last Modified:

Split DNS, Split Tunnel, PPTP VPN, NAT, and some serious headaches

The title just about says it all.  Right now I have a single public IP running into a WatchGuard Firebox.  I have a bunch of domains with DNS hosted elsewhere.  Internally I am running DHCPd and Bind with ddns using the domain <my domain>.local.  I also have people PPTPing into the network, but would like NOT to have to have all of their traffic get sent over the tunnel, hence split tunneling.  This causes some serious headaches because PPTPs cannot access computers internally by name since the DNS foo.<my domain>.local doesn't resolve on their DNS servers (which are listed first) because they are split tunneled.  My question is what is the best way to actually get this all configured such that:

Internally we are using <computer>.internal.<my domain>.com on some private IP based Bind server (e.g. 192.168.0.X) behind our FireBox (This step is easy)
Externally people using <computer>.internal.<my domain>.com get redirected to ... <my domain>.com for example, but
PPTP VPN users using split tunneling can actually perform lookups on <computer>.internal.<my domain>.com and get the correct response from our Internal Server.

Or is this even possible?  I am open to any suggested ways to solve this problem.
0
efaden
Asked:
efaden
1 Solution
 
giltjrCommented:
Assuming all clients are Windows then read:

     http://support.microsoft.com/default.aspx?scid=kb;en-us;311218

This is a registry change that will cause the client to do DNS lookup using the VPN adatpers DNS reslovers first, which should be your internal DNS servers.  This will allow your internal names to work.
0
 
efadenAuthor Commented:
What about with OSX and other clients?
0
 
giltjrCommented:
Well, that I am not sure of.  You will have to check each OS and how they may or may not alter the DNS reslover order.

Windows used to have a single DNS reslover order and when a "WAN" (PPP, SLIP, PPTP, ect.) connection was made it would add any new DNS reslover to the top of the list.  However with Windows 2000/XP, the started to maintain a seperate list for each adapter and would send out requests until it received an answer (either good or bad).  It would start with the 1st adapter in the bind list (reference the MS KB) and keep going down the list until it received a answer from one of the reslovers.

I am not sure how *nix based system work, I have never noticed.
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
efadenAuthor Commented:
Interesting.  Is there a cleaner way to set this all up?  What is generally the best way to deal with the Internal vs. External DNS/VPN issue?
0
 
giltjrCommented:
Not that I am aware of.  We are attempting to figure this out ourselves.   I am not sure if VPN clients address this or not, as it is Windows that controls how name resolution works.  In theory a VPN client could remove all current reslovers and add just those needed for the VPN at connection time and then revert back to the original setup at disconnect.

We are lucky, if you want to call it that, as all of our VPN clients will be Windows based PC.  I am the only one that uses Linux to connect to our VPN, but I run my own DNS reslovers at home and I have it setup with forwarder zones to forward to our work reslovers for our Internal domain name.

One major gotcha with the KB  I referenced, if you make any changes to any of the NIC's the bind order changes back so that the WAN is last instead of first.  Which means you could change the registry setting and then it get changed back.

There was one site, I can't remeber what it was, that had a script to do the change.
0
 
NYtechGuyCommented:



The ability to split-tunnel DNS queries has been included for quite some time now.

-----Syntax-----
vpngroup <vpngroup name> split-dns <domain name 1> <domain name 2>

-----Example-----
vpngroup myvpngroup split-dns mydomain.local mydomain.com


I am running a Cisco PIX 515 on v7.x, and I am connecting using the Cisco VPN client version 4.8.  Same goes for much earlier versions of both, as well as for the much cheaper PIX 501 ($400 list).  This must be included in Watchguard in that case... if the watchguard knowledgebase was publicly accessible I would have gotten you a link.

Thanks - Justin
0
 
periferralCommented:
I would go with the PIX solution. It supports everything you need. Also, you are better off with an IPSec solution rather than PPTP. The you can assign dns entries to the client which will go through the firewall rather than the default one set on the client. Also split DNS and split tunneling is supported.
Im sure the Firebox can do VPN tunnels are well (IKE/IPSec) rather than PPTP.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now