?
Solved

DNS through VPN

Posted on 2014-10-03
12
Medium Priority
?
189 Views
Last Modified: 2014-10-26
I have a DMZ switch set up to host websites that can be accessed externally and that's all working fine except for when a user tries to access those sites while connected to VPN.
I'm not sure how to set up DNS (or if I can) to make this work properly.
When I ping the site I get the local IP back and not the external IP which is expected when connected to VPN. If I add the external IP and the URL to the host file then I can connect without issue but I'm hoping to avoid doing that for all users.
I would like to be able to connect to external and internal sites when connected to VPN.
Firewall is a Fortinet 200B and it's using split tunneling for traffic. Sites are hosted on a windows 2008R2 server.

Hopefully that makes sense, please let me know if you need more info.
Thanks!
0
Comment
Question by:Winsoup
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
  • +2
12 Comments
 
LVL 8

Expert Comment

by:myramu
ID: 40359485
Hello,

You are allowed to define your own DNS servers on SSL VPN settings page. Make sure that these DNS IP addresses are routed via VPN tunnel. You office dns server should resolve internal and external domains.

If not, define primary server as internal DNS IP (Office IP) and Secondary as external IP (example 8.8.8.8).

Good Luck!
0
 
LVL 7

Expert Comment

by:Satyendra Sharma
ID: 40359489
Do you have a different DNS environment for VPN solution or you use the same core DNS and what is it (windows, infoblox or something else)?

Adding a host entry on the clients is another option to resolve your site to the external DNS IP instead of internal this will override DNS query, but may not be the idle solution.
0
 
LVL 3

Author Comment

by:Winsoup
ID: 40359508
I have the primary server defined as our office DNS right now and the secondary as 8.8.8.8 as you stated. The problem is that it doesn't use the external IP address, it uses the IP assigned in the DMZ environment so 8.8.8.8 wouldn't be able to resolve that anyway. These internal IP's are completely separate from the rest of our LAN.
I thought maybe there was another rule or something I had to define in the firewall but right now I'm allowing traffic from the VPN tunnel to the DMZ port on the firewall so that should be fine. And I can connect if I use the IP so I know it allows the traffic through but it's not resolving the 172.16.x.x IP that I have assigned to it.

VPN users and internal office users use the same DNS environment which is Windows.
0
Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

 
LVL 40

Expert Comment

by:footech
ID: 40359789
I have the primary server defined as our office DNS right now and the secondary as 8.8.8.8 as you stated.
There is no point in having both internal DNS and external DNS assigned.  Unless they both have the exact same records, it will just cause intermittent issues in trying to reach resources which have differing records.  It's the same concept as never assigning your internal machines on a domain to use any DNS except those which have full knowledge of your AD.

Beyond hosts files, your only resolution here (in regards to name resolution) would be to have the VPN use a DNS server(s) that has the records you want.  Beyond DNS, if you just allowed the traffic from the VPN to the DMZ and had the necessary routing information on the clients it would work (for example, having a static route where trying to access the DMZ IP subnet would use the VPN interface).  However, I'm not sure how you would automate deploying the static route.
0
 
LVL 7

Expert Comment

by:Satyendra Sharma
ID: 40359808
Another option would be to give a different url to the VPN users and resolve this new url into your DMZ.
0
 
LVL 6

Expert Comment

by:Matt
ID: 40359830
Did you allow UDP traffic on port 53 from VPN to your internal DNS? How do your internal clients resolve external adresses?
0
 
LVL 3

Author Comment

by:Winsoup
ID: 40359911
It doesn't have an issue resolving any other internal IP addresses, only the ones in the DMZ. So access to the DNS Servers for VPN is allowed already.
Internal clients resolve external IP addresses using forwarders to our ISP's DNS Servers.
0
 
LVL 6

Expert Comment

by:Matt
ID: 40361201
Do you have for DMZ separated DNS server to resolve hosts in DMZ zone? How do your internal clients resolve hosts in DMZ zone?
0
 
LVL 3

Author Comment

by:Winsoup
ID: 40363614
No I don't have a separate DNS server for the DMZ Zone.
Internal clients cannot resolve host names of DMZ servers but they can resolve the website IP's because I have a reverse lookup zone created in the DNS server and a rule created in the firewall to allow HTTP access for internal clients.

The hostname I'm trying to resolve has a public IP address but when VPN is connected it tries to resolve the internal IP address instead of the public IP address. Is there a way to force it to the public IP so it gets the correct DNS server?
0
 
LVL 40

Expert Comment

by:footech
ID: 40364941
At one point you say that the name resolves to the internal IP, and then at another you say it doesn't.  Which is it?

Pretty sure I've already stated this, but here it is.
If you want the name to be resolved to the public IP, you either have to :
1) use DNS servers that have that info, or
2) use HOSTS files

If the name resolves to the private IP (and will remain that way), then you have to ensure the correct routing info is in place on the client so that traffic destined for the DMZ range is routed over the VPN (since you're using split-tunnel), and also that it will be routed from the VPN server correctly.  Some VPN servers allow you define what networks are routed over the split-tunnel (I can't advise you on the Fortinet).  You can see routing info on Windows with the route print command.
0
 
LVL 3

Accepted Solution

by:
Winsoup earned 0 total points
ID: 40394802
There was another policy that needed to be created in the firewall to allow VPN users to access the DMZ.
Fortinet was able to help with this issue. This can be closed.
Thanks for the replies everyone.
0
 
LVL 3

Author Closing Comment

by:Winsoup
ID: 40404605
Fortinet Support provided the solution.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question