svillardi
asked on
Remote VPN DNS issue
Hello Experts,
I am trying to figure out a DNS issue.
We have a main office and several small offices connect back to it via site-to-site VPNs. DNS is handled by our SBS server in the main office, which is where all the other domain resources are .
Back at the SOHO, the local router hands out the ip settings via DHCP. The primary DNS is the one at the main office, then the local ISP DNS is secondary and tertiary, in case there's a problem with the VPN.
Well often, their is a "no host found" when trying to ping via hostname or fqdn, but via IP works fine. ipconfig /all shows the office's DNS, so I cannot figure out where to go from there.
The issue is sporadic. One user will have connectivity. Others don't. Then only one user won't be connected while 3-4 are... I don't get it.
Finally, these are SonicWall routers in the field connected to a Cisco ASA 5500 it the main office.
Any help would be appreciated.
Thank you very much for your time.
I am trying to figure out a DNS issue.
We have a main office and several small offices connect back to it via site-to-site VPNs. DNS is handled by our SBS server in the main office, which is where all the other domain resources are .
Back at the SOHO, the local router hands out the ip settings via DHCP. The primary DNS is the one at the main office, then the local ISP DNS is secondary and tertiary, in case there's a problem with the VPN.
Well often, their is a "no host found" when trying to ping via hostname or fqdn, but via IP works fine. ipconfig /all shows the office's DNS, so I cannot figure out where to go from there.
The issue is sporadic. One user will have connectivity. Others don't. Then only one user won't be connected while 3-4 are... I don't get it.
Finally, these are SonicWall routers in the field connected to a Cisco ASA 5500 it the main office.
Any help would be appreciated.
Thank you very much for your time.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi svillardi,
Yes, a power anomaly could do this is network equipment or the server is not backed up by a UPS unit. If you are having many power outages or anomalies buy a UPS for the NCPI (Network-Critical Physical Infrastructure). The server should already have this as a best practice. So then if each firewall does this will not occur in the future.
Also, what type of error message are the other users getting when they cannot connect?
Cheers!
Yes, a power anomaly could do this is network equipment or the server is not backed up by a UPS unit. If you are having many power outages or anomalies buy a UPS for the NCPI (Network-Critical Physical Infrastructure). The server should already have this as a best practice. So then if each firewall does this will not occur in the future.
Also, what type of error message are the other users getting when they cannot connect?
Cheers!
Palo Alto firewalls can do exactly what you want for example:
https://live.paloaltonetworks.com/docs/DOC-4633
Junos (Juniper SRX) can also perform this kind of DNS proxying.
http://www.juniper.net/techpubs/software/junos-es/junos-es90/junos-es-admin-guide/dns-proxy-with-split-dns.html#dns-proxy-split-dns-section
Cisco however does not that great job in its routers and firewalls with DNS proxy :(.
https://live.paloaltonetworks.com/docs/DOC-4633
Junos (Juniper SRX) can also perform this kind of DNS proxying.
http://www.juniper.net/techpubs/software/junos-es/junos-es90/junos-es-admin-guide/dns-proxy-with-split-dns.html#dns-proxy-split-dns-section
Cisco however does not that great job in its routers and firewalls with DNS proxy :(.
ASKER
So, a couple things:
The SOHOs do not have UPSes on them. But power outages are rarely the problem. What has happened in the past is that sometimes the VPN would go down, usually because interesting traffic wasn't being generated (weekends when no one was there).
So, is best practices to provide only internal DNS servers to client devices? If the VPN goes down, they can't get to the internet -- and I can't remotely then get to them... Not good.
How can I prove what DNS server is being used to resolve DNS queries? I would hate to disable the secondary and tertiary DNS without that issue being solved.
The SOHOs do not have UPSes on them. But power outages are rarely the problem. What has happened in the past is that sometimes the VPN would go down, usually because interesting traffic wasn't being generated (weekends when no one was there).
So, is best practices to provide only internal DNS servers to client devices? If the VPN goes down, they can't get to the internet -- and I can't remotely then get to them... Not good.
How can I prove what DNS server is being used to resolve DNS queries? I would hate to disable the secondary and tertiary DNS without that issue being solved.
I agree, it is a very common problem. The remote users must use ONLY the SBS for DNS. Using an ISP, even as an alternate, can result in slow logon and many name resolution issues. Often the ISP responds faster than the remote site and thus hangs until a time out. The only way to properly address dropped VPN connections is to add a local AD integrated DNS server.
Any update on this?
ASKER
No. :-(
I posted the possible solutions to management, and they said they wanted a new router capable of doing the split DNS. I don't know how to do that for starters, but I really can't leave them isolated if the VPN tunnel goes down.
I posted the possible solutions to management, and they said they wanted a new router capable of doing the split DNS. I don't know how to do that for starters, but I really can't leave them isolated if the VPN tunnel goes down.
Split DNS router? You really need to add a basic Active Directory Integrated DNS server if it is a concern. This can be a read only DNS server, and with PC hardware, but needs to be a Windows server O/S 2003 or newer.
I always ask why Internet is so important. If company files and e-mail are on the remote server, other than facebook, what is so important on the Internet. Most often the loss of connection is due to an ISP not the VPN, so you would loose Internet in any case.
I always ask why Internet is so important. If company files and e-mail are on the remote server, other than facebook, what is so important on the Internet. Most often the loss of connection is due to an ISP not the VPN, so you would loose Internet in any case.
ASKER
Yeah... well, we've had VPN issues. I think it's solid now, but with the internet up, we can use a software VPN (Microsoft) to connect. And, if they can't get to the internet, I can't fix their problem because I work remotely. I can propose the local DNS server as well, but I'm not sure that extra expense will fly.
As usual, everyone wants their cake and eat it too....
As usual, everyone wants their cake and eat it too....
So is there still an issue, or is there a solution here to assign points or do you want to just delete this question?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I want to test the solution before I assign the points. Is that OK?
Quite acceptable.
ASKER
So far, so good. The site I was working on was having spotty internet problems, so I hope all is well. Thanks for the great ideas. I was always taught that DNS goes to primary, then if not avail goes to secondary, etc... I learned something.
ASKER
I don't like only using one DNS server... kinda leaves them out to dry... but I'm willing to try it for testing.
Do you have a suggestion for a SOHO router, maybe 10 users at MOST, to connect back to the office which could handle these types of issues?
Thanks!!