Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 196
  • Last Modified:

DNS through VPN

I have a DMZ switch set up to host websites that can be accessed externally and that's all working fine except for when a user tries to access those sites while connected to VPN.
I'm not sure how to set up DNS (or if I can) to make this work properly.
When I ping the site I get the local IP back and not the external IP which is expected when connected to VPN. If I add the external IP and the URL to the host file then I can connect without issue but I'm hoping to avoid doing that for all users.
I would like to be able to connect to external and internal sites when connected to VPN.
Firewall is a Fortinet 200B and it's using split tunneling for traffic. Sites are hosted on a windows 2008R2 server.

Hopefully that makes sense, please let me know if you need more info.
Thanks!
0
Winsoup
Asked:
Winsoup
  • 5
  • 2
  • 2
  • +2
1 Solution
 
myramuCommented:
Hello,

You are allowed to define your own DNS servers on SSL VPN settings page. Make sure that these DNS IP addresses are routed via VPN tunnel. You office dns server should resolve internal and external domains.

If not, define primary server as internal DNS IP (Office IP) and Secondary as external IP (example 8.8.8.8).

Good Luck!
0
 
Satyendra SharmaSenior ConsultantCommented:
Do you have a different DNS environment for VPN solution or you use the same core DNS and what is it (windows, infoblox or something else)?

Adding a host entry on the clients is another option to resolve your site to the external DNS IP instead of internal this will override DNS query, but may not be the idle solution.
0
 
WinsoupAuthor Commented:
I have the primary server defined as our office DNS right now and the secondary as 8.8.8.8 as you stated. The problem is that it doesn't use the external IP address, it uses the IP assigned in the DMZ environment so 8.8.8.8 wouldn't be able to resolve that anyway. These internal IP's are completely separate from the rest of our LAN.
I thought maybe there was another rule or something I had to define in the firewall but right now I'm allowing traffic from the VPN tunnel to the DMZ port on the firewall so that should be fine. And I can connect if I use the IP so I know it allows the traffic through but it's not resolving the 172.16.x.x IP that I have assigned to it.

VPN users and internal office users use the same DNS environment which is Windows.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
footechCommented:
I have the primary server defined as our office DNS right now and the secondary as 8.8.8.8 as you stated.
There is no point in having both internal DNS and external DNS assigned.  Unless they both have the exact same records, it will just cause intermittent issues in trying to reach resources which have differing records.  It's the same concept as never assigning your internal machines on a domain to use any DNS except those which have full knowledge of your AD.

Beyond hosts files, your only resolution here (in regards to name resolution) would be to have the VPN use a DNS server(s) that has the records you want.  Beyond DNS, if you just allowed the traffic from the VPN to the DMZ and had the necessary routing information on the clients it would work (for example, having a static route where trying to access the DMZ IP subnet would use the VPN interface).  However, I'm not sure how you would automate deploying the static route.
0
 
Satyendra SharmaSenior ConsultantCommented:
Another option would be to give a different url to the VPN users and resolve this new url into your DMZ.
0
 
MattCommented:
Did you allow UDP traffic on port 53 from VPN to your internal DNS? How do your internal clients resolve external adresses?
0
 
WinsoupAuthor Commented:
It doesn't have an issue resolving any other internal IP addresses, only the ones in the DMZ. So access to the DNS Servers for VPN is allowed already.
Internal clients resolve external IP addresses using forwarders to our ISP's DNS Servers.
0
 
MattCommented:
Do you have for DMZ separated DNS server to resolve hosts in DMZ zone? How do your internal clients resolve hosts in DMZ zone?
0
 
WinsoupAuthor Commented:
No I don't have a separate DNS server for the DMZ Zone.
Internal clients cannot resolve host names of DMZ servers but they can resolve the website IP's because I have a reverse lookup zone created in the DNS server and a rule created in the firewall to allow HTTP access for internal clients.

The hostname I'm trying to resolve has a public IP address but when VPN is connected it tries to resolve the internal IP address instead of the public IP address. Is there a way to force it to the public IP so it gets the correct DNS server?
0
 
footechCommented:
At one point you say that the name resolves to the internal IP, and then at another you say it doesn't.  Which is it?

Pretty sure I've already stated this, but here it is.
If you want the name to be resolved to the public IP, you either have to :
1) use DNS servers that have that info, or
2) use HOSTS files

If the name resolves to the private IP (and will remain that way), then you have to ensure the correct routing info is in place on the client so that traffic destined for the DMZ range is routed over the VPN (since you're using split-tunnel), and also that it will be routed from the VPN server correctly.  Some VPN servers allow you define what networks are routed over the split-tunnel (I can't advise you on the Fortinet).  You can see routing info on Windows with the route print command.
0
 
WinsoupAuthor Commented:
There was another policy that needed to be created in the firewall to allow VPN users to access the DMZ.
Fortinet was able to help with this issue. This can be closed.
Thanks for the replies everyone.
0
 
WinsoupAuthor Commented:
Fortinet Support provided the solution.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 5
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now