?
Solved

Remote VPN DNS issue

Posted on 2013-11-03
15
Medium Priority
?
575 Views
Last Modified: 2013-11-10
Hello Experts,

I am trying to figure out a DNS issue.  

We have a main office and several small offices connect back to it via site-to-site VPNs.  DNS is handled by our SBS server in the main office, which is where all the other domain resources are .  

Back at the SOHO,  the local router hands out the ip settings via DHCP.  The primary DNS is the one at the main office, then the local ISP DNS is secondary and tertiary, in case there's a problem with the VPN.

Well often, their is a "no host found" when trying to ping via hostname or fqdn, but via IP works fine.  ipconfig /all shows the office's DNS, so I cannot figure out where to go from there.

The issue is sporadic.  One user will have connectivity.  Others don't.  Then only one user won't be connected while 3-4 are... I don't get it.

Finally, these are SonicWall routers in the field connected to a Cisco ASA 5500 it the main office.

Any help would be appreciated.

Thank you very much for your time.
0
Comment
Question by:svillardi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 3
  • +1
15 Comments
 
LVL 12

Assisted Solution

by:Henk van Achterberg
Henk van Achterberg earned 1000 total points
ID: 39619889
when the primairy DNS fails the client will use the secondary DNS. When the first DNS comes back online it will NOT preempt to the primairy DNS!

So, either use a local DNS server or configure your router (only for advanced models) that the local zone can be found over the VPN and the rest of the DNS zones on the internet.

Or you should only use one DNS server, the one at the main site.
0
 

Author Comment

by:svillardi
ID: 39619898
REALLY!?  So a short outage will cause this?  Is this why sometimes a reboot works in fixing the issue?

I don't like only using one DNS server... kinda leaves them out to dry...  but I'm willing to try it for testing.

Do you have a suggestion for a SOHO router, maybe 10 users at MOST, to connect back to the office which could handle these types of issues?

Thanks!!
0
 
LVL 25

Expert Comment

by:Blue Street Tech
ID: 39620184
Hi svillardi,

Yes, a power anomaly could do this is network equipment or the server is not backed up by a UPS unit. If you are having many power outages or anomalies buy a UPS for the NCPI (Network-Critical Physical Infrastructure). The server should already have this as a best practice. So then if each firewall does this will not occur in the future.

Also, what type of error message are the other users getting when they cannot connect?

Cheers!
0
Are You Using the Best Web Development Editor?

The worlds of web hosting and web development are constantly evolving. Every year we see design trends change, coding standards adapt and new frameworks/CMS created. With such a quick pace of change it’s easy to get lost trying to keep up.

See if your editor made the list.

 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39620187
Palo Alto firewalls can do exactly what you want for example:

https://live.paloaltonetworks.com/docs/DOC-4633

Junos (Juniper SRX) can also perform this kind of DNS proxying.

http://www.juniper.net/techpubs/software/junos-es/junos-es90/junos-es-admin-guide/dns-proxy-with-split-dns.html#dns-proxy-split-dns-section

Cisco however does not that great job in its routers and firewalls with DNS proxy :(.
0
 

Author Comment

by:svillardi
ID: 39620419
So, a couple things:

The SOHOs do not have UPSes on them.  But power outages are rarely the problem.  What has happened in the past is that sometimes the  VPN would go down, usually because interesting traffic wasn't being generated  (weekends when no one was there).

So, is best practices to provide only internal DNS servers to client devices?  If the VPN goes down, they can't get to the internet -- and I can't remotely then get to them... Not good.

How can I prove what DNS server is being used to resolve DNS queries?  I would hate to disable the secondary and tertiary DNS without that issue being solved.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 39620738
I agree, it is a very common problem.  The remote users must use ONLY the SBS for DNS.  Using an ISP, even as an alternate, can result in slow logon and many name resolution issues.  Often the ISP responds faster than the remote site and thus hangs until a time out.  The only way to properly address dropped VPN connections is to add a local AD integrated DNS server.
0
 
LVL 25

Expert Comment

by:Blue Street Tech
ID: 39628902
Any update on this?
0
 

Author Comment

by:svillardi
ID: 39629178
No.  :-(

I posted the possible solutions to management, and they said they wanted a new router capable of doing the split DNS.  I don't know how to do that for starters, but I really can't leave them isolated if the VPN tunnel goes down.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 39629199
Split DNS router?  You really need to add a basic Active Directory Integrated DNS server if it is a concern.  This can be a read only DNS server, and with PC hardware, but needs to be a Windows server O/S 2003 or newer.

I always ask why Internet is so important.  If company files and e-mail are on the remote server, other than facebook, what is so important on the Internet.  Most often the loss of connection is due to an ISP not the VPN, so you would loose Internet in any case.
0
 

Author Comment

by:svillardi
ID: 39629212
Yeah... well, we've had VPN issues.  I think it's solid now, but with the internet up, we can use a software VPN (Microsoft) to connect.  And, if they can't get to the internet, I can't fix their problem because I work remotely.  I can propose the local DNS server as well, but I'm not sure that extra expense will fly.

As usual, everyone wants their cake and eat it too....
0
 
LVL 25

Expert Comment

by:Blue Street Tech
ID: 39629247
So is there still an issue, or is there a solution here to assign points or do you want to just delete this question?
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 1000 total points
ID: 39629269
The problem is DNS in Windows does not work as one would expect.  Rather than using the primary DNS and when it fails moving to the secondary, a DNS lookup is sent to all DNS servers, the first one to respond is the one with which Windows will negotiate.  Of course most of the time the ISP's DNS will respond faster than the remote site's DNS server, and will not be able to do a DNS lookup for an internal DNS name, fail, and cause connection issues.

The only solution is a local DNS server which replicates with the remote site.

If in the event of a failure you are using a VPN client, you can still do so if you use the IP rather than a DNS name.  I would suggest resolving the VPN stability issues, or as mentioned, a local DNS server is the best solution.  Unfortunately up time is proportionate to costs.  

This is a common question and always with the same solution.
0
 

Author Comment

by:svillardi
ID: 39629272
I want to test the solution before I assign the points.  Is that OK?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 39629279
Quite acceptable.
0
 

Author Closing Comment

by:svillardi
ID: 39637870
So far, so good.  The site I was working on was having spotty internet problems, so I hope all is well.  Thanks for the great ideas.  I was always taught that DNS goes to primary, then if not avail goes to secondary, etc... I learned something.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question