We help IT Professionals succeed at work.

DNS requests to DNS server from branch offices not being resolved

Here is the scenario. We have a main office and two branch offices connected with VPN tunnels using Cisco ASA 5505 firewalls.

We just set up an active directory (server 2008 R2) with the only DC (running DNS) based in the main office. I modified the DHCP scopes for the branch offices to have the DC as their primary DNS server.

For some reason, though, workstations in each of the branch offices can not resolve any of the new server names. I verified that the new DNS servers are being handed out via DHCP at each branch office. And I can ping the IP address of the server I want to get to so one of the following must be true:

 - DNS requests aren't being sent through the VPN tunnel to the DC/DNS server
 or
 - the DC/DNS server is refusing requests from the branch offices

Any ideas?
Comment
Watch Question

can you telnet into the DNS server on port 53 from the remote terminal, if not check to see that the port is allowed on the firewall.  If it connects it won't give you any response, if it doesn't  connect it will give you a connection refused error.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
check the advanced firewall settings to see whether access to port 53 is limited to the domain network only which might be what is preventing the remote LAN which has a different IP segment from passing.

Does the branch have its own DHCP server but not a DC?

Author

Commented:
The firewall on the DC is turned off. I was able to telnet to it using port 53 from a branch office even though I didn't get any response.

Author

Commented:
and yes, the branch offices have their own DHCP servers but no DC.
I may have fixed it but this may just be a work-around which isn't great.

So I noticed that while I couldn't "ping server" and get responses, I could "ping server.domain.local" and get responses. I then modified my dhcp server with the command:

dhcpd domain domain.local

Now if you go to "ipconfig /all" the DNS Suffix Search List includes "domain.local" and I can ping servers with either their FQDN or just the basic name.

So did I just solve my problem or is there more work to do?
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Since you have a local DHCP, you could also setup a local DNS server that will pull the data from the DC at the main office.
Any reason why a branch DC is not being considered?

Adding the search domain will help resolve the server just as it would have server.domain.local.

Author

Commented:
I resolved the issue on my own

Explore More ContentExplore courses, solutions, and other research materials related to this topic.