Solved

DNS through VPN

Posted on 2014-10-03
12
179 Views
Last Modified: 2014-10-26
I have a DMZ switch set up to host websites that can be accessed externally and that's all working fine except for when a user tries to access those sites while connected to VPN.
I'm not sure how to set up DNS (or if I can) to make this work properly.
When I ping the site I get the local IP back and not the external IP which is expected when connected to VPN. If I add the external IP and the URL to the host file then I can connect without issue but I'm hoping to avoid doing that for all users.
I would like to be able to connect to external and internal sites when connected to VPN.
Firewall is a Fortinet 200B and it's using split tunneling for traffic. Sites are hosted on a windows 2008R2 server.

Hopefully that makes sense, please let me know if you need more info.
Thanks!
0
Comment
Question by:Winsoup
  • 5
  • 2
  • 2
  • +2
12 Comments
 
LVL 8

Expert Comment

by:myramu
ID: 40359485
Hello,

You are allowed to define your own DNS servers on SSL VPN settings page. Make sure that these DNS IP addresses are routed via VPN tunnel. You office dns server should resolve internal and external domains.

If not, define primary server as internal DNS IP (Office IP) and Secondary as external IP (example 8.8.8.8).

Good Luck!
0
 
LVL 7

Expert Comment

by:Satyendra Sharma
ID: 40359489
Do you have a different DNS environment for VPN solution or you use the same core DNS and what is it (windows, infoblox or something else)?

Adding a host entry on the clients is another option to resolve your site to the external DNS IP instead of internal this will override DNS query, but may not be the idle solution.
0
 
LVL 3

Author Comment

by:Winsoup
ID: 40359508
I have the primary server defined as our office DNS right now and the secondary as 8.8.8.8 as you stated. The problem is that it doesn't use the external IP address, it uses the IP assigned in the DMZ environment so 8.8.8.8 wouldn't be able to resolve that anyway. These internal IP's are completely separate from the rest of our LAN.
I thought maybe there was another rule or something I had to define in the firewall but right now I'm allowing traffic from the VPN tunnel to the DMZ port on the firewall so that should be fine. And I can connect if I use the IP so I know it allows the traffic through but it's not resolving the 172.16.x.x IP that I have assigned to it.

VPN users and internal office users use the same DNS environment which is Windows.
0
 
LVL 39

Expert Comment

by:footech
ID: 40359789
I have the primary server defined as our office DNS right now and the secondary as 8.8.8.8 as you stated.
There is no point in having both internal DNS and external DNS assigned.  Unless they both have the exact same records, it will just cause intermittent issues in trying to reach resources which have differing records.  It's the same concept as never assigning your internal machines on a domain to use any DNS except those which have full knowledge of your AD.

Beyond hosts files, your only resolution here (in regards to name resolution) would be to have the VPN use a DNS server(s) that has the records you want.  Beyond DNS, if you just allowed the traffic from the VPN to the DMZ and had the necessary routing information on the clients it would work (for example, having a static route where trying to access the DMZ IP subnet would use the VPN interface).  However, I'm not sure how you would automate deploying the static route.
0
 
LVL 7

Expert Comment

by:Satyendra Sharma
ID: 40359808
Another option would be to give a different url to the VPN users and resolve this new url into your DMZ.
0
 
LVL 6

Expert Comment

by:Matt
ID: 40359830
Did you allow UDP traffic on port 53 from VPN to your internal DNS? How do your internal clients resolve external adresses?
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 3

Author Comment

by:Winsoup
ID: 40359911
It doesn't have an issue resolving any other internal IP addresses, only the ones in the DMZ. So access to the DNS Servers for VPN is allowed already.
Internal clients resolve external IP addresses using forwarders to our ISP's DNS Servers.
0
 
LVL 6

Expert Comment

by:Matt
ID: 40361201
Do you have for DMZ separated DNS server to resolve hosts in DMZ zone? How do your internal clients resolve hosts in DMZ zone?
0
 
LVL 3

Author Comment

by:Winsoup
ID: 40363614
No I don't have a separate DNS server for the DMZ Zone.
Internal clients cannot resolve host names of DMZ servers but they can resolve the website IP's because I have a reverse lookup zone created in the DNS server and a rule created in the firewall to allow HTTP access for internal clients.

The hostname I'm trying to resolve has a public IP address but when VPN is connected it tries to resolve the internal IP address instead of the public IP address. Is there a way to force it to the public IP so it gets the correct DNS server?
0
 
LVL 39

Expert Comment

by:footech
ID: 40364941
At one point you say that the name resolves to the internal IP, and then at another you say it doesn't.  Which is it?

Pretty sure I've already stated this, but here it is.
If you want the name to be resolved to the public IP, you either have to :
1) use DNS servers that have that info, or
2) use HOSTS files

If the name resolves to the private IP (and will remain that way), then you have to ensure the correct routing info is in place on the client so that traffic destined for the DMZ range is routed over the VPN (since you're using split-tunnel), and also that it will be routed from the VPN server correctly.  Some VPN servers allow you define what networks are routed over the split-tunnel (I can't advise you on the Fortinet).  You can see routing info on Windows with the route print command.
0
 
LVL 3

Accepted Solution

by:
Winsoup earned 0 total points
ID: 40394802
There was another policy that needed to be created in the firewall to allow VPN users to access the DMZ.
Fortinet was able to help with this issue. This can be closed.
Thanks for the replies everyone.
0
 
LVL 3

Author Closing Comment

by:Winsoup
ID: 40404605
Fortinet Support provided the solution.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

There have been a lot of times when we have seen the need to enter a large number of DNS entries in a forward lookup zone. The standard procedure would be to launch the DNS Manager console, create the Zone and start adding new hosts using the New…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now