DNS configuration with a Site-to-Site VPN

I need help with DNS I have successfully established a site to site VPN connection
between two offices. I am able to ping between each of the networks
across the VPN tunnel. My only issue now is how should the DNS be
configured to allow name resolution and the ability to setup a two way trust.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike KlineCommented:
A few ways to do this, so are these different domains/forests.   You can use conditional forwarders, stub zones or secondary zones.  I like conditional forwarders, some steps here



Also to build on the above, if you are using a Firewall Appliance for your Site 2 Site, you will need to ensure that the additional sites are allowed to query DNS through your firewalls. (Otherwise look forward to lots of dropped traffic on port 53).

I hope this helps.

Mike KlineCommented:
More on the firewall, make sure to have the ports opened in the below KB



SD-WAN: Making It Work for You

As bandwidth requirements and Internet costs grow, businesses naturally want to manage budgets by reducing reliance on their most expensive connection types. Learn more about how to make SD-WAN work for your business in our on-demand webinar!

GD_GRAYAuthor Commented:
Yes two different domains and forests connected via a Cisco 1811 router and a Cisco 1841 router.
ensure that the additional sites are allowed to query DNS through your firewalls

Actually, since the traffic is running across a site-to-site VPN, the site firewalls won't play into this.  Unless, of course, they sit *behind* the VPN endpoints (which would be a little strange).

You will, however, need to ensure that your servers are willing to except DNS traffic from the private network at the other end of the VPN tunnel.  For example - if these are Win2k8 servers, the default firewall policy restricts DNS queries to the local subnet only.

The link provided by mkline71 looks like it covers your likely next questions as well...


If you have to 2 Firewall Appliances configured to use Site2Site, the internal services such as DNS Servers will sit behind the firewall.....whats the point in having a firewall if your clients are going to be on the wrong side of it?
Typically, VPN tunnels are not subject to the firewall rules applied to the external interface.  In most firewall implementations, the VPN endpoint is a separate logical interface.

Granted, I'm reading into your original statement that you're talking about inbound firewall rules applied to the outside (untrusted) interface.  If you're talking about outbound firewall rules applied to the inside (trusted) interface, then I respectfully withdraw my previous comment...
GD_GRAYAuthor Commented:
Went with the link mklink71 posted, but Im still not able to ping a host name. Do you think the fact that on each end the FQDN names are in the same format (my.server.local ) would keep it from resolving ? On my servers it seems to be different when setting up the Conditional Forwarder, I went to the DNS management tool than to properties/forwarders and setup a new domain and IP. Would that be the same thing ?
So both sites are running under the same DNS domain? Do they also have the same AD forest/domain names?

You're facing bigger problems than DNS resolution in your bigger plan to establish cross-forest trust.

Please provide the following so I can better understand where we're starting...

Site 1 - private subnet, DC name, domain name, DNS svr IP
Site 2 - private subnet, DC name, domain name, DNS svr IP
GD_GRAYAuthor Commented:
site1 -,  DC1,   camron,,  ( FQDN )  dc1.camron.local

site 2 -,  DC2, camron2,  ( FQDN )  dc2.camron2.local
OK - assuming that you're using a /24 subnet mask at both sites (, you're good to go.  

You comment about...
on each end the FQDN names are in the same format
...had me concerned.  You shouldn't have any problems getting this working.

If you're running server 2008, then Server Properties -> Forwarders is *not* the same thing - that will set global forwarders for all non-local domains.  Not what you want.  You need conditional forwarders.  

If you're running server 2003, then Server Properties -> Forwarders will get you there.

What version of Windows server?

Site 1, add a forwarder for camron2.local with IP
Site 2, configure the server firewall to allow DNS requests from

You should be able to ping by name.  If not, please do
nslookup dc2.camron2.local

Open in new window

from the console of dc1 and post the results here.
GD_GRAYAuthor Commented:
they (site 1 and 2 ) are 2003 r servers

Default Server:  dc1.camron.local

> camron2
Server:  dc1.camron.local

*** dc1.camron.local can't find camron2: Non-existent domain
Invalid query. Camron2 is The domain name, not a valid host name.

NSLOOKUP dc2.camron2.local

The FQDN of the site 2 DC.

Or am I missing something?
GD_GRAYAuthor Commented:
Sorry my bad, your right, but I got the same return with dc2. This time from the server..

C:\Documents and Settings\Administrator>nslookup dc2
Server:  localhost

*** localhost can't find dc2: Non-existent domain

C:\Documents and Settings\Administrator>
GD_GRAYAuthor Commented:
Well it will see it if I use the full name...  dc2.camron2.local
but not just dc2 ?
Okay - we're getting warmer...

dc2 without a FQDN will try to resolve to dc2.camron.local, which will (and should) fail.

Please try the FQDN.

NSLOOKUP dc2.camron2.local

If you've configured the conditional forwarder on DC1 for camron2.local to point to the IP of dc2.camron2.local as described previously, it should work.

If you want to be able to do host-only name resolution, there's more work to be done.

Let's validate that our setup is working before we get fancy, eh? ;-)
Sorry - looks like we cross-posted.

Looks like things are working as expected.  Repeat the config in reverse on DC2 (conditional for camron.local pointing to the IP of DC1; DC1 firewall configured to accept DNS queries from and you're all set.

As for host-only name resolution, there are a couple of things you need to do:
1. Ensure that there is no hostname duplication between the two sites.
2. Add camron2.local to the domain search list for DC1 and it's DHCP clients.
3. Add camron.local to the domain search list for DC2 and it's DHCP clients.

If you're really trying to get NetBIOS name resolution working across the VPN, that's another topic.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
GD_GRAYAuthor Commented:
Cool, it works from each location. What I need to do is setup a two way trust for the domains and have never done it before but knew the DNS would have to work first. Do you know if the way its working now I can set up the trust or should I setup the domain search list as well ?
What you've got now should be sufficient.  Refer back to the link originally posted by mkline71.


Glad I could help!
GD_GRAYAuthor Commented:
Thank you for the link mkline71, and for all your help netjgrnaut. I could not have done it with out you !
Mike KlineCommented:
nice work setting up the trust!!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.