Solved

Split DNS, Split Tunnel, PPTP VPN, NAT, and some serious headaches

Posted on 2006-10-20
7
2,851 Views
Last Modified: 2012-08-13
The title just about says it all.  Right now I have a single public IP running into a WatchGuard Firebox.  I have a bunch of domains with DNS hosted elsewhere.  Internally I am running DHCPd and Bind with ddns using the domain <my domain>.local.  I also have people PPTPing into the network, but would like NOT to have to have all of their traffic get sent over the tunnel, hence split tunneling.  This causes some serious headaches because PPTPs cannot access computers internally by name since the DNS foo.<my domain>.local doesn't resolve on their DNS servers (which are listed first) because they are split tunneled.  My question is what is the best way to actually get this all configured such that:

Internally we are using <computer>.internal.<my domain>.com on some private IP based Bind server (e.g. 192.168.0.X) behind our FireBox (This step is easy)
Externally people using <computer>.internal.<my domain>.com get redirected to ... <my domain>.com for example, but
PPTP VPN users using split tunneling can actually perform lookups on <computer>.internal.<my domain>.com and get the correct response from our Internal Server.

Or is this even possible?  I am open to any suggested ways to solve this problem.
0
Comment
Question by:efaden
7 Comments
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 17774588
Assuming all clients are Windows then read:

     http://support.microsoft.com/default.aspx?scid=kb;en-us;311218

This is a registry change that will cause the client to do DNS lookup using the VPN adatpers DNS reslovers first, which should be your internal DNS servers.  This will allow your internal names to work.
0
 

Author Comment

by:efaden
ID: 17774617
What about with OSX and other clients?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 17774847
Well, that I am not sure of.  You will have to check each OS and how they may or may not alter the DNS reslover order.

Windows used to have a single DNS reslover order and when a "WAN" (PPP, SLIP, PPTP, ect.) connection was made it would add any new DNS reslover to the top of the list.  However with Windows 2000/XP, the started to maintain a seperate list for each adapter and would send out requests until it received an answer (either good or bad).  It would start with the 1st adapter in the bind list (reference the MS KB) and keep going down the list until it received a answer from one of the reslovers.

I am not sure how *nix based system work, I have never noticed.
0
Save on storage to protect fatherhood memories

You're the dad who has everything. This Father's Day, make sure your family memories are protected. My Passport Ultra has automatic backup and password protection to keep your cherished photos and videos safe. With up to 3TB, you have plenty of room to hold the adventures ahead.

 

Author Comment

by:efaden
ID: 17774889
Interesting.  Is there a cleaner way to set this all up?  What is generally the best way to deal with the Internal vs. External DNS/VPN issue?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 17775253
Not that I am aware of.  We are attempting to figure this out ourselves.   I am not sure if VPN clients address this or not, as it is Windows that controls how name resolution works.  In theory a VPN client could remove all current reslovers and add just those needed for the VPN at connection time and then revert back to the original setup at disconnect.

We are lucky, if you want to call it that, as all of our VPN clients will be Windows based PC.  I am the only one that uses Linux to connect to our VPN, but I run my own DNS reslovers at home and I have it setup with forwarder zones to forward to our work reslovers for our Internal domain name.

One major gotcha with the KB  I referenced, if you make any changes to any of the NIC's the bind order changes back so that the WAN is last instead of first.  Which means you could change the registry setting and then it get changed back.

There was one site, I can't remeber what it was, that had a script to do the change.
0
 
LVL 9

Expert Comment

by:NYtechGuy
ID: 17776197



The ability to split-tunnel DNS queries has been included for quite some time now.

-----Syntax-----
vpngroup <vpngroup name> split-dns <domain name 1> <domain name 2>

-----Example-----
vpngroup myvpngroup split-dns mydomain.local mydomain.com


I am running a Cisco PIX 515 on v7.x, and I am connecting using the Cisco VPN client version 4.8.  Same goes for much earlier versions of both, as well as for the much cheaper PIX 501 ($400 list).  This must be included in Watchguard in that case... if the watchguard knowledgebase was publicly accessible I would have gotten you a link.

Thanks - Justin
0
 
LVL 4

Expert Comment

by:periferral
ID: 17883584
I would go with the PIX solution. It supports everything you need. Also, you are better off with an IPSec solution rather than PPTP. The you can assign dns entries to the client which will go through the firewall rather than the default one set on the client. Also split DNS and split tunneling is supported.
Im sure the Firebox can do VPN tunnels are well (IKE/IPSec) rather than PPTP.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now