Remote sites, DNS lookups question
Posted on 2011-11-01
I have an issue I've been working with the last few days, tearing my hair out. I am guessing it's a matter of setting split-dns, maybe but at this point I'm not sure.
I have a main site, using ASA5505 as a VPN headend. Remote sites also use an ASA5505 with EasyVPN because they are all dynamic IPs. Networking works, I have split tunneling enabled and working. No real functionality issue other than me not wanting all the DNS queries to come back to corporate. I monitor the traffic using iftop, on a spanned interface from the main ASA, with a port filter of 53. On a remote site, I can do a nslookup, and it will query the DNS server of choice as assigned by the local DHCP server. (In this case, google 220.127.116.11) The lookup happens, but on my iftop I see the remote client has actually queried the corporate DNS servers. Miniscule traffic, about 700b or so per request.
I never even noticed this before, until a few weeks ago a server here died, happened to be the primary DNS server. All the remote sites stopped being able to do any DNS resolution until I changed the ASA at corporate to use a public DNS server under group policy.
That being said, what do I need to do configuration-wise to make all requests that aren't "mydomain.com" only ask the DNS server as configured at each remote site, and requests to the mydomain.com actually traverse the tunnel and query my corporate DNS server?
Most of the remote sites are not in the domain, they are just homes that will be using the VPN function to use Cisco IP phones while at home, and possibly connect to some shares. If they need to access shares, even then I'm not really worried about DNS, I can map by IP in those cases.