DNS over VPN Tunnel
I have two sites on two seperate internal domains connected via an IPSEC VPN tunnel. One side, siteb.local (one Win2K and one Win2K3 DC), has a Netscreen 5GT, and the other side, sitea.local (2 Win2K3 DCs), has a Fortigate 80C. The tunnels between the sites are up and I can ping and rdp by IP both ways no problem. But I am not able to get DNS to work. I have added a stub domain on either side but it will not update. I have also tried DNS forwarders but that isn't working either. What am I missing???
ASKER
There are port restrictions on the tunnels
So, looks that could be a problem :/
Echo request works fine but DNS queries UDP/53 and zone transfers TCP/53 doesn't. Are your DNS zones configured as Active Directory-Integrated or work as standard Primary/Secondary/Stub zones?
Krzysztof
Echo request works fine but DNS queries UDP/53 and zone transfers TCP/53 doesn't. Are your DNS zones configured as Active Directory-Integrated or work as standard Primary/Secondary/Stub zones?
Krzysztof
ASKER
Sorry typing too fast. Meant to say there are no port restrictions on the tunnels
So, please tell me if "Are your DNS zones configured as Active Directory-Integrated or work as standard Primary/Secondary/Stub zones?" ?
That requires also enabling Zone transfers on DNS servers in zone's properties and define which DNS servers can request zone transfers
Krzysztof
That requires also enabling Zone transfers on DNS servers in zone's properties and define which DNS servers can request zone transfers
Krzysztof
Please check my guide according to standard Stub Zone creation (and look for enabling zone transfer) and check if it helps
Krzysztof
Configuring-Stub-zone.pdf
Krzysztof
Configuring-Stub-zone.pdf
ASKER
They are AD integrated, didn't check the Zone transfer tab, thanks for the guide. Logging in to those servers now to check.
When you created stub zones, do you see all NS and A records of DNS servers for those domains within a zone?
Krzysztof
Krzysztof
ASKER
One siteb I added the secondary zone on the Win2K DNS server and I saw the NS and A records populate from sitea domain. I added a stub domain on the Win2K3 DNS server in sitea and it will not pull the NS and A records "The DNS server encountered a problem while attempting to load this zone" . also I have added the sitea DC to the siteb domain Name Server tab and vice versa since the Zone Transfer tab on both DCs says to only allow transfers to server listed in the Name Servers tab.
If they are from different domains, you need to add them using IP adrdress not Name Servers tab :)
But it looks like it works one way :/
But it looks like it works one way :/
ASKER
Ok I did it by IP instead and have the same result. Works on one side, but not on the other
Try to click on that "not workin" stub zone and choose "Transfer from master" wait some time and tell me what do you see in DNS event log
Krzysztof
Krzysztof
Down load from www.isc.org Bind for NT.
Once downloaded, extract the contents (don't need to install)
find dig.exe
at the command line:
dig axfr company.com. @primary.dnservercompany.c
If you get zone transfer failed:
1) telnet primary dns server port 53 (get a connection?)
2) MSS/MTU - The MTU on the Tunnel will be less than 1500. So DNS will fail on a transfer since it's using the MTU. You need to change the tunnel settings to "spoof" the MSS on the tcp negotiation to be say 1400 or 1380. Once both sides have a "mtu of 1380" this should work since you have 40B of overhead on tcp/ip and XBytes on the vpn tunnel (AH/IPSEC/PPTP etc).
3) Make sure you are not stopping unreachables or mtu path discovery. VPNs tend to block this by default since it's a security risk. This causes the client not to be able to negotiate a good MSS.
4) Quick test:
Windoze> ping -l 1460 -f -n 10 -w 2 -i 20
-l = payload 1460+40 for header makes 1500
-f = don't fragment
-n = number of packets
-w = wait time 2 seconds
-i = make sure the ttl is set correctly (no modifications on the box).
If that fails work you way down on the "-l" by 40Bytes so you will then ping -l 1420...
Hope this helps
Once downloaded, extract the contents (don't need to install)
find dig.exe
at the command line:
dig axfr company.com. @primary.dnservercompany.c
If you get zone transfer failed:
1) telnet primary dns server port 53 (get a connection?)
2) MSS/MTU - The MTU on the Tunnel will be less than 1500. So DNS will fail on a transfer since it's using the MTU. You need to change the tunnel settings to "spoof" the MSS on the tcp negotiation to be say 1400 or 1380. Once both sides have a "mtu of 1380" this should work since you have 40B of overhead on tcp/ip and XBytes on the vpn tunnel (AH/IPSEC/PPTP etc).
3) Make sure you are not stopping unreachables or mtu path discovery. VPNs tend to block this by default since it's a security risk. This causes the client not to be able to negotiate a good MSS.
4) Quick test:
Windoze> ping -l 1460 -f -n 10 -w 2 -i 20
-l = payload 1460+40 for header makes 1500
-f = don't fragment
-n = number of packets
-w = wait time 2 seconds
-i = make sure the ttl is set correctly (no modifications on the box).
If that fails work you way down on the "-l" by 40Bytes so you will then ping -l 1420...
Hope this helps
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I still am in the same spot. On siteb Win2K DNS I have sitea secondary domain and it populates with all the A records. On sitea Win2K3 DNS the stub domain will not work for siteb. Records do not populate. I have used BIND as described and the transfer failed. I have the interface on the Fortigate set to MTU 1380 and the untrust and trust interfaces on the Netscreen set to MTU 1380. Still no change. Before changing the MTU on either side I was only able to complete a ping from sitea to siteb when I set the payload to 1380, now after changing the MTU size on the VPN appliances I have to set it to 1200 for it to complete the ping. I did not setup forwarders since there are secondary/stub domains in DNS and you can't have both. Any other ideas?
Yea - however, I'm dealing with production issues. I'll get back to you as soon as I can - may be later tonight or tomorrow morning.
DMT
DMT
Oh - one other thing - do you have netmon 3 installed on both of these servers or at least on one? A trace of the data transfer sucess/failure would be helpful.
I have not read all your last post, so I'll write later when I have more time.
DMT
I have not read all your last post, so I'll write later when I have more time.
DMT
ASKER
This was part of the solution, the other part was moving DNS off the Win2K box onto a Win2K3 box.
Regards,
Krzysztof