DNS over VPN Tunnel

I have two sites on two seperate internal domains connected via an IPSEC VPN tunnel.  One side, siteb.local (one Win2K and one Win2K3 DC), has a Netscreen 5GT, and the other side, sitea.local (2 Win2K3 DCs), has a Fortigate 80C.  The tunnels between the sites are up and I can ping and rdp by IP both ways no problem.  But I am not able to get DNS to work.  I have added a stub domain on either side but it will not update.  I have also tried DNS forwarders but that isn't working either.  What am I missing???
LVL 1
CompushareAsked:
Who is Participating?
 
UserProtoCommented:
You must specify domains in forwarders tab: for sitea dns forwarders tab looks: domain siteb.loca - siteb dns server IP, and for siteb dns forwarders tab looks: domain sitea.local - sitea dns server IP. And for all other domains dns must leave unchanged
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
Do you have enabled TCP/53 and UDP/53 for zone transfers/queries on firewall/router?

Regards,
Krzysztof
0
 
CompushareAuthor Commented:
There are port restrictions on the tunnels
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
Krzysztof PytkoSenior Active Directory EngineerCommented:
So, looks that could be a problem :/
Echo request works fine but DNS queries UDP/53 and zone transfers TCP/53 doesn't. Are your DNS zones configured as Active Directory-Integrated or work as standard Primary/Secondary/Stub zones?

Krzysztof
0
 
CompushareAuthor Commented:
Sorry typing too fast.  Meant to say there are no port restrictions on the tunnels
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
So, please tell me if "Are your DNS zones configured as Active Directory-Integrated or work as standard Primary/Secondary/Stub zones?" ?
That requires also enabling Zone transfers on DNS servers in zone's properties and define which DNS servers can request zone transfers

Krzysztof
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
Please check my guide according to standard Stub Zone creation (and look for enabling zone transfer) and check if it helps

Krzysztof
Configuring-Stub-zone.pdf
0
 
CompushareAuthor Commented:
They are AD integrated, didn't check the Zone transfer tab, thanks for the guide.  Logging in to those servers now to check.
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
When you created stub zones, do you see all NS and A records of DNS servers for those domains within a zone?

Krzysztof
0
 
CompushareAuthor Commented:
One siteb I added the secondary zone on the Win2K DNS server and I saw the NS and A records populate from sitea domain.  I added a stub domain on the Win2K3 DNS server in sitea and it will not pull the NS and A records "The DNS server encountered a problem while attempting to load this zone" .  also I have added the sitea DC to the siteb domain Name Server tab and vice versa since the Zone Transfer tab on both DCs says to only allow transfers to server listed in the Name Servers tab.
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
If they are from different domains, you need to add them using IP adrdress not Name Servers tab :)
But it looks like it works one way :/
0
 
CompushareAuthor Commented:
Ok I did it by IP instead and have the same result.  Works on one side, but not on the other
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
Try to click on that "not workin" stub zone and choose "Transfer from master" wait some time and tell me what do you see in DNS event log

Krzysztof
0
 
InterframeGapCommented:
Down load from www.isc.org Bind for NT.
Once downloaded, extract the contents (don't need to install)

find dig.exe

at the command line:

dig axfr company.com. @primary.dnservercompany.com

If you get zone transfer failed:

1) telnet primary dns server port 53 (get a connection?)
2) MSS/MTU - The MTU on the Tunnel will be less than 1500. So DNS will fail on a transfer since it's using the MTU.  You need to change the tunnel settings to "spoof" the MSS on the tcp negotiation to be say 1400 or 1380.  Once both sides have a "mtu of 1380" this should work since you have 40B of overhead on tcp/ip and XBytes on the vpn tunnel (AH/IPSEC/PPTP etc).
3) Make sure you are not stopping unreachables or mtu path discovery.  VPNs tend to block this by default since it's a security risk.  This causes the client not to be able to negotiate a good MSS.

4) Quick test:
Windoze> ping -l 1460 -f -n 10 -w 2 -i 20
-l = payload 1460+40 for header makes 1500
-f = don't fragment
-n = number of packets
-w = wait time 2 seconds
-i = make sure the ttl is set correctly (no modifications on the box).

If that fails work you way down on the "-l" by 40Bytes so you will then ping -l 1420...

Hope this helps
0
 
CompushareAuthor Commented:
I still am in the same spot.  On siteb Win2K DNS I have sitea secondary domain and it populates with all the A records.  On sitea Win2K3 DNS the stub domain will not work for siteb.  Records do not populate.  I have used BIND as described and the transfer failed.  I have the interface on the Fortigate set to MTU 1380 and the untrust and trust interfaces on the Netscreen set to MTU 1380.  Still no change.  Before changing the MTU on either side I was only able to complete a ping from sitea to siteb when I set the payload to 1380, now after changing the MTU size on the VPN appliances I have to set it to 1200 for it to complete the ping.  I did not setup forwarders since there are secondary/stub domains in DNS and you can't have both.  Any other ideas?
0
 
InterframeGapCommented:
Yea - however, I'm dealing with production issues.  I'll get back to you as soon as I can - may be later tonight or tomorrow morning.

DMT
0
 
InterframeGapCommented:
Oh - one other thing - do you have netmon 3 installed on both of these servers or at least on one?  A trace of the data transfer sucess/failure would be helpful.

I have not read all your last post, so I'll write later when I have more time.

DMT
0
 
CompushareAuthor Commented:
This was part of the solution, the other part was moving DNS off the Win2K box onto a Win2K3 box.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.