Solved

Remote VPN DNS issue

Posted on 2013-11-03
15
560 Views
Last Modified: 2013-11-10
Hello Experts,

I am trying to figure out a DNS issue.  

We have a main office and several small offices connect back to it via site-to-site VPNs.  DNS is handled by our SBS server in the main office, which is where all the other domain resources are .  

Back at the SOHO,  the local router hands out the ip settings via DHCP.  The primary DNS is the one at the main office, then the local ISP DNS is secondary and tertiary, in case there's a problem with the VPN.

Well often, their is a "no host found" when trying to ping via hostname or fqdn, but via IP works fine.  ipconfig /all shows the office's DNS, so I cannot figure out where to go from there.

The issue is sporadic.  One user will have connectivity.  Others don't.  Then only one user won't be connected while 3-4 are... I don't get it.

Finally, these are SonicWall routers in the field connected to a Cisco ASA 5500 it the main office.

Any help would be appreciated.

Thank you very much for your time.
0
Comment
Question by:svillardi
  • 6
  • 4
  • 3
  • +1
15 Comments
 
LVL 12

Assisted Solution

by:Henk van Achterberg
Henk van Achterberg earned 250 total points
ID: 39619889
when the primairy DNS fails the client will use the secondary DNS. When the first DNS comes back online it will NOT preempt to the primairy DNS!

So, either use a local DNS server or configure your router (only for advanced models) that the local zone can be found over the VPN and the rest of the DNS zones on the internet.

Or you should only use one DNS server, the one at the main site.
0
 

Author Comment

by:svillardi
ID: 39619898
REALLY!?  So a short outage will cause this?  Is this why sometimes a reboot works in fixing the issue?

I don't like only using one DNS server... kinda leaves them out to dry...  but I'm willing to try it for testing.

Do you have a suggestion for a SOHO router, maybe 10 users at MOST, to connect back to the office which could handle these types of issues?

Thanks!!
0
 
LVL 24

Expert Comment

by:diverseit
ID: 39620184
Hi svillardi,

Yes, a power anomaly could do this is network equipment or the server is not backed up by a UPS unit. If you are having many power outages or anomalies buy a UPS for the NCPI (Network-Critical Physical Infrastructure). The server should already have this as a best practice. So then if each firewall does this will not occur in the future.

Also, what type of error message are the other users getting when they cannot connect?

Cheers!
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39620187
Palo Alto firewalls can do exactly what you want for example:

https://live.paloaltonetworks.com/docs/DOC-4633

Junos (Juniper SRX) can also perform this kind of DNS proxying.

http://www.juniper.net/techpubs/software/junos-es/junos-es90/junos-es-admin-guide/dns-proxy-with-split-dns.html#dns-proxy-split-dns-section

Cisco however does not that great job in its routers and firewalls with DNS proxy :(.
0
 

Author Comment

by:svillardi
ID: 39620419
So, a couple things:

The SOHOs do not have UPSes on them.  But power outages are rarely the problem.  What has happened in the past is that sometimes the  VPN would go down, usually because interesting traffic wasn't being generated  (weekends when no one was there).

So, is best practices to provide only internal DNS servers to client devices?  If the VPN goes down, they can't get to the internet -- and I can't remotely then get to them... Not good.

How can I prove what DNS server is being used to resolve DNS queries?  I would hate to disable the secondary and tertiary DNS without that issue being solved.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 39620738
I agree, it is a very common problem.  The remote users must use ONLY the SBS for DNS.  Using an ISP, even as an alternate, can result in slow logon and many name resolution issues.  Often the ISP responds faster than the remote site and thus hangs until a time out.  The only way to properly address dropped VPN connections is to add a local AD integrated DNS server.
0
 
LVL 24

Expert Comment

by:diverseit
ID: 39628902
Any update on this?
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:svillardi
ID: 39629178
No.  :-(

I posted the possible solutions to management, and they said they wanted a new router capable of doing the split DNS.  I don't know how to do that for starters, but I really can't leave them isolated if the VPN tunnel goes down.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 39629199
Split DNS router?  You really need to add a basic Active Directory Integrated DNS server if it is a concern.  This can be a read only DNS server, and with PC hardware, but needs to be a Windows server O/S 2003 or newer.

I always ask why Internet is so important.  If company files and e-mail are on the remote server, other than facebook, what is so important on the Internet.  Most often the loss of connection is due to an ISP not the VPN, so you would loose Internet in any case.
0
 

Author Comment

by:svillardi
ID: 39629212
Yeah... well, we've had VPN issues.  I think it's solid now, but with the internet up, we can use a software VPN (Microsoft) to connect.  And, if they can't get to the internet, I can't fix their problem because I work remotely.  I can propose the local DNS server as well, but I'm not sure that extra expense will fly.

As usual, everyone wants their cake and eat it too....
0
 
LVL 24

Expert Comment

by:diverseit
ID: 39629247
So is there still an issue, or is there a solution here to assign points or do you want to just delete this question?
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 250 total points
ID: 39629269
The problem is DNS in Windows does not work as one would expect.  Rather than using the primary DNS and when it fails moving to the secondary, a DNS lookup is sent to all DNS servers, the first one to respond is the one with which Windows will negotiate.  Of course most of the time the ISP's DNS will respond faster than the remote site's DNS server, and will not be able to do a DNS lookup for an internal DNS name, fail, and cause connection issues.

The only solution is a local DNS server which replicates with the remote site.

If in the event of a failure you are using a VPN client, you can still do so if you use the IP rather than a DNS name.  I would suggest resolving the VPN stability issues, or as mentioned, a local DNS server is the best solution.  Unfortunately up time is proportionate to costs.  

This is a common question and always with the same solution.
0
 

Author Comment

by:svillardi
ID: 39629272
I want to test the solution before I assign the points.  Is that OK?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 39629279
Quite acceptable.
0
 

Author Closing Comment

by:svillardi
ID: 39637870
So far, so good.  The site I was working on was having spotty internet problems, so I hope all is well.  Thanks for the great ideas.  I was always taught that DNS goes to primary, then if not avail goes to secondary, etc... I learned something.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now