Solved

Split DNS, Split Tunnel, PPTP VPN, NAT, and some serious headaches

Posted on 2006-10-20
7
2,868 Views
Last Modified: 2012-08-13
The title just about says it all.  Right now I have a single public IP running into a WatchGuard Firebox.  I have a bunch of domains with DNS hosted elsewhere.  Internally I am running DHCPd and Bind with ddns using the domain <my domain>.local.  I also have people PPTPing into the network, but would like NOT to have to have all of their traffic get sent over the tunnel, hence split tunneling.  This causes some serious headaches because PPTPs cannot access computers internally by name since the DNS foo.<my domain>.local doesn't resolve on their DNS servers (which are listed first) because they are split tunneled.  My question is what is the best way to actually get this all configured such that:

Internally we are using <computer>.internal.<my domain>.com on some private IP based Bind server (e.g. 192.168.0.X) behind our FireBox (This step is easy)
Externally people using <computer>.internal.<my domain>.com get redirected to ... <my domain>.com for example, but
PPTP VPN users using split tunneling can actually perform lookups on <computer>.internal.<my domain>.com and get the correct response from our Internal Server.

Or is this even possible?  I am open to any suggested ways to solve this problem.
0
Comment
Question by:efaden
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 17774588
Assuming all clients are Windows then read:

     http://support.microsoft.com/default.aspx?scid=kb;en-us;311218

This is a registry change that will cause the client to do DNS lookup using the VPN adatpers DNS reslovers first, which should be your internal DNS servers.  This will allow your internal names to work.
0
 

Author Comment

by:efaden
ID: 17774617
What about with OSX and other clients?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 17774847
Well, that I am not sure of.  You will have to check each OS and how they may or may not alter the DNS reslover order.

Windows used to have a single DNS reslover order and when a "WAN" (PPP, SLIP, PPTP, ect.) connection was made it would add any new DNS reslover to the top of the list.  However with Windows 2000/XP, the started to maintain a seperate list for each adapter and would send out requests until it received an answer (either good or bad).  It would start with the 1st adapter in the bind list (reference the MS KB) and keep going down the list until it received a answer from one of the reslovers.

I am not sure how *nix based system work, I have never noticed.
0
Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

 

Author Comment

by:efaden
ID: 17774889
Interesting.  Is there a cleaner way to set this all up?  What is generally the best way to deal with the Internal vs. External DNS/VPN issue?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 17775253
Not that I am aware of.  We are attempting to figure this out ourselves.   I am not sure if VPN clients address this or not, as it is Windows that controls how name resolution works.  In theory a VPN client could remove all current reslovers and add just those needed for the VPN at connection time and then revert back to the original setup at disconnect.

We are lucky, if you want to call it that, as all of our VPN clients will be Windows based PC.  I am the only one that uses Linux to connect to our VPN, but I run my own DNS reslovers at home and I have it setup with forwarder zones to forward to our work reslovers for our Internal domain name.

One major gotcha with the KB  I referenced, if you make any changes to any of the NIC's the bind order changes back so that the WAN is last instead of first.  Which means you could change the registry setting and then it get changed back.

There was one site, I can't remeber what it was, that had a script to do the change.
0
 
LVL 9

Expert Comment

by:NYtechGuy
ID: 17776197



The ability to split-tunnel DNS queries has been included for quite some time now.

-----Syntax-----
vpngroup <vpngroup name> split-dns <domain name 1> <domain name 2>

-----Example-----
vpngroup myvpngroup split-dns mydomain.local mydomain.com


I am running a Cisco PIX 515 on v7.x, and I am connecting using the Cisco VPN client version 4.8.  Same goes for much earlier versions of both, as well as for the much cheaper PIX 501 ($400 list).  This must be included in Watchguard in that case... if the watchguard knowledgebase was publicly accessible I would have gotten you a link.

Thanks - Justin
0
 
LVL 4

Expert Comment

by:periferral
ID: 17883584
I would go with the PIX solution. It supports everything you need. Also, you are better off with an IPSec solution rather than PPTP. The you can assign dns entries to the client which will go through the firewall rather than the default one set on the client. Also split DNS and split tunneling is supported.
Im sure the Firebox can do VPN tunnels are well (IKE/IPSec) rather than PPTP.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question