Solved

Split DNS, Split Tunnel, PPTP VPN, NAT, and some serious headaches

Posted on 2006-10-20
7
2,862 Views
Last Modified: 2012-08-13
The title just about says it all.  Right now I have a single public IP running into a WatchGuard Firebox.  I have a bunch of domains with DNS hosted elsewhere.  Internally I am running DHCPd and Bind with ddns using the domain <my domain>.local.  I also have people PPTPing into the network, but would like NOT to have to have all of their traffic get sent over the tunnel, hence split tunneling.  This causes some serious headaches because PPTPs cannot access computers internally by name since the DNS foo.<my domain>.local doesn't resolve on their DNS servers (which are listed first) because they are split tunneled.  My question is what is the best way to actually get this all configured such that:

Internally we are using <computer>.internal.<my domain>.com on some private IP based Bind server (e.g. 192.168.0.X) behind our FireBox (This step is easy)
Externally people using <computer>.internal.<my domain>.com get redirected to ... <my domain>.com for example, but
PPTP VPN users using split tunneling can actually perform lookups on <computer>.internal.<my domain>.com and get the correct response from our Internal Server.

Or is this even possible?  I am open to any suggested ways to solve this problem.
0
Comment
Question by:efaden
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 17774588
Assuming all clients are Windows then read:

     http://support.microsoft.com/default.aspx?scid=kb;en-us;311218

This is a registry change that will cause the client to do DNS lookup using the VPN adatpers DNS reslovers first, which should be your internal DNS servers.  This will allow your internal names to work.
0
 

Author Comment

by:efaden
ID: 17774617
What about with OSX and other clients?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 17774847
Well, that I am not sure of.  You will have to check each OS and how they may or may not alter the DNS reslover order.

Windows used to have a single DNS reslover order and when a "WAN" (PPP, SLIP, PPTP, ect.) connection was made it would add any new DNS reslover to the top of the list.  However with Windows 2000/XP, the started to maintain a seperate list for each adapter and would send out requests until it received an answer (either good or bad).  It would start with the 1st adapter in the bind list (reference the MS KB) and keep going down the list until it received a answer from one of the reslovers.

I am not sure how *nix based system work, I have never noticed.
0
Don't Miss ATEN at InfoComm 2017!

Visit booth #2167 to see the  new ATEN VM3200 32 x 32 Modular Matrix Switch. Other highlights include the VE8950 4K HDMI Over IP Extender, VS1912 12-Port DP Video Wall Media Player  and VK2100 ATEN Control System. Register now with Free Pass Code ATEN288!

 

Author Comment

by:efaden
ID: 17774889
Interesting.  Is there a cleaner way to set this all up?  What is generally the best way to deal with the Internal vs. External DNS/VPN issue?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 17775253
Not that I am aware of.  We are attempting to figure this out ourselves.   I am not sure if VPN clients address this or not, as it is Windows that controls how name resolution works.  In theory a VPN client could remove all current reslovers and add just those needed for the VPN at connection time and then revert back to the original setup at disconnect.

We are lucky, if you want to call it that, as all of our VPN clients will be Windows based PC.  I am the only one that uses Linux to connect to our VPN, but I run my own DNS reslovers at home and I have it setup with forwarder zones to forward to our work reslovers for our Internal domain name.

One major gotcha with the KB  I referenced, if you make any changes to any of the NIC's the bind order changes back so that the WAN is last instead of first.  Which means you could change the registry setting and then it get changed back.

There was one site, I can't remeber what it was, that had a script to do the change.
0
 
LVL 9

Expert Comment

by:NYtechGuy
ID: 17776197



The ability to split-tunnel DNS queries has been included for quite some time now.

-----Syntax-----
vpngroup <vpngroup name> split-dns <domain name 1> <domain name 2>

-----Example-----
vpngroup myvpngroup split-dns mydomain.local mydomain.com


I am running a Cisco PIX 515 on v7.x, and I am connecting using the Cisco VPN client version 4.8.  Same goes for much earlier versions of both, as well as for the much cheaper PIX 501 ($400 list).  This must be included in Watchguard in that case... if the watchguard knowledgebase was publicly accessible I would have gotten you a link.

Thanks - Justin
0
 
LVL 4

Expert Comment

by:periferral
ID: 17883584
I would go with the PIX solution. It supports everything you need. Also, you are better off with an IPSec solution rather than PPTP. The you can assign dns entries to the client which will go through the firewall rather than the default one set on the client. Also split DNS and split tunneling is supported.
Im sure the Firebox can do VPN tunnels are well (IKE/IPSec) rather than PPTP.
0

Featured Post

Are You Ransomware's Next Victim?

Worried about ransomware attacks hitting your organization?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with WatchGuard Total Security!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question