Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Split DNS, Split Tunnel, PPTP VPN, NAT, and some serious headaches

Posted on 2006-10-20
7
Medium Priority
?
2,872 Views
Last Modified: 2012-08-13
The title just about says it all.  Right now I have a single public IP running into a WatchGuard Firebox.  I have a bunch of domains with DNS hosted elsewhere.  Internally I am running DHCPd and Bind with ddns using the domain <my domain>.local.  I also have people PPTPing into the network, but would like NOT to have to have all of their traffic get sent over the tunnel, hence split tunneling.  This causes some serious headaches because PPTPs cannot access computers internally by name since the DNS foo.<my domain>.local doesn't resolve on their DNS servers (which are listed first) because they are split tunneled.  My question is what is the best way to actually get this all configured such that:

Internally we are using <computer>.internal.<my domain>.com on some private IP based Bind server (e.g. 192.168.0.X) behind our FireBox (This step is easy)
Externally people using <computer>.internal.<my domain>.com get redirected to ... <my domain>.com for example, but
PPTP VPN users using split tunneling can actually perform lookups on <computer>.internal.<my domain>.com and get the correct response from our Internal Server.

Or is this even possible?  I am open to any suggested ways to solve this problem.
0
Comment
Question by:efaden
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 57

Accepted Solution

by:
giltjr earned 1500 total points
ID: 17774588
Assuming all clients are Windows then read:

     http://support.microsoft.com/default.aspx?scid=kb;en-us;311218

This is a registry change that will cause the client to do DNS lookup using the VPN adatpers DNS reslovers first, which should be your internal DNS servers.  This will allow your internal names to work.
0
 

Author Comment

by:efaden
ID: 17774617
What about with OSX and other clients?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 17774847
Well, that I am not sure of.  You will have to check each OS and how they may or may not alter the DNS reslover order.

Windows used to have a single DNS reslover order and when a "WAN" (PPP, SLIP, PPTP, ect.) connection was made it would add any new DNS reslover to the top of the list.  However with Windows 2000/XP, the started to maintain a seperate list for each adapter and would send out requests until it received an answer (either good or bad).  It would start with the 1st adapter in the bind list (reference the MS KB) and keep going down the list until it received a answer from one of the reslovers.

I am not sure how *nix based system work, I have never noticed.
0
Survive A High-Traffic Event with Percona

Your application or website rely on your database to deliver information about products and services to your customers. You can’t afford to have your database lose performance, lose availability or become unresponsive – even for just a few minutes.

 

Author Comment

by:efaden
ID: 17774889
Interesting.  Is there a cleaner way to set this all up?  What is generally the best way to deal with the Internal vs. External DNS/VPN issue?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 17775253
Not that I am aware of.  We are attempting to figure this out ourselves.   I am not sure if VPN clients address this or not, as it is Windows that controls how name resolution works.  In theory a VPN client could remove all current reslovers and add just those needed for the VPN at connection time and then revert back to the original setup at disconnect.

We are lucky, if you want to call it that, as all of our VPN clients will be Windows based PC.  I am the only one that uses Linux to connect to our VPN, but I run my own DNS reslovers at home and I have it setup with forwarder zones to forward to our work reslovers for our Internal domain name.

One major gotcha with the KB  I referenced, if you make any changes to any of the NIC's the bind order changes back so that the WAN is last instead of first.  Which means you could change the registry setting and then it get changed back.

There was one site, I can't remeber what it was, that had a script to do the change.
0
 
LVL 9

Expert Comment

by:NYtechGuy
ID: 17776197



The ability to split-tunnel DNS queries has been included for quite some time now.

-----Syntax-----
vpngroup <vpngroup name> split-dns <domain name 1> <domain name 2>

-----Example-----
vpngroup myvpngroup split-dns mydomain.local mydomain.com


I am running a Cisco PIX 515 on v7.x, and I am connecting using the Cisco VPN client version 4.8.  Same goes for much earlier versions of both, as well as for the much cheaper PIX 501 ($400 list).  This must be included in Watchguard in that case... if the watchguard knowledgebase was publicly accessible I would have gotten you a link.

Thanks - Justin
0
 
LVL 4

Expert Comment

by:periferral
ID: 17883584
I would go with the PIX solution. It supports everything you need. Also, you are better off with an IPSec solution rather than PPTP. The you can assign dns entries to the client which will go through the firewall rather than the default one set on the client. Also split DNS and split tunneling is supported.
Im sure the Firebox can do VPN tunnels are well (IKE/IPSec) rather than PPTP.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question