Solved

DNS through VPN

Posted on 2014-10-03
12
182 Views
Last Modified: 2014-10-26
I have a DMZ switch set up to host websites that can be accessed externally and that's all working fine except for when a user tries to access those sites while connected to VPN.
I'm not sure how to set up DNS (or if I can) to make this work properly.
When I ping the site I get the local IP back and not the external IP which is expected when connected to VPN. If I add the external IP and the URL to the host file then I can connect without issue but I'm hoping to avoid doing that for all users.
I would like to be able to connect to external and internal sites when connected to VPN.
Firewall is a Fortinet 200B and it's using split tunneling for traffic. Sites are hosted on a windows 2008R2 server.

Hopefully that makes sense, please let me know if you need more info.
Thanks!
0
Comment
Question by:Winsoup
  • 5
  • 2
  • 2
  • +2
12 Comments
 
LVL 8

Expert Comment

by:myramu
ID: 40359485
Hello,

You are allowed to define your own DNS servers on SSL VPN settings page. Make sure that these DNS IP addresses are routed via VPN tunnel. You office dns server should resolve internal and external domains.

If not, define primary server as internal DNS IP (Office IP) and Secondary as external IP (example 8.8.8.8).

Good Luck!
0
 
LVL 7

Expert Comment

by:Satyendra Sharma
ID: 40359489
Do you have a different DNS environment for VPN solution or you use the same core DNS and what is it (windows, infoblox or something else)?

Adding a host entry on the clients is another option to resolve your site to the external DNS IP instead of internal this will override DNS query, but may not be the idle solution.
0
 
LVL 3

Author Comment

by:Winsoup
ID: 40359508
I have the primary server defined as our office DNS right now and the secondary as 8.8.8.8 as you stated. The problem is that it doesn't use the external IP address, it uses the IP assigned in the DMZ environment so 8.8.8.8 wouldn't be able to resolve that anyway. These internal IP's are completely separate from the rest of our LAN.
I thought maybe there was another rule or something I had to define in the firewall but right now I'm allowing traffic from the VPN tunnel to the DMZ port on the firewall so that should be fine. And I can connect if I use the IP so I know it allows the traffic through but it's not resolving the 172.16.x.x IP that I have assigned to it.

VPN users and internal office users use the same DNS environment which is Windows.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 39

Expert Comment

by:footech
ID: 40359789
I have the primary server defined as our office DNS right now and the secondary as 8.8.8.8 as you stated.
There is no point in having both internal DNS and external DNS assigned.  Unless they both have the exact same records, it will just cause intermittent issues in trying to reach resources which have differing records.  It's the same concept as never assigning your internal machines on a domain to use any DNS except those which have full knowledge of your AD.

Beyond hosts files, your only resolution here (in regards to name resolution) would be to have the VPN use a DNS server(s) that has the records you want.  Beyond DNS, if you just allowed the traffic from the VPN to the DMZ and had the necessary routing information on the clients it would work (for example, having a static route where trying to access the DMZ IP subnet would use the VPN interface).  However, I'm not sure how you would automate deploying the static route.
0
 
LVL 7

Expert Comment

by:Satyendra Sharma
ID: 40359808
Another option would be to give a different url to the VPN users and resolve this new url into your DMZ.
0
 
LVL 6

Expert Comment

by:Matt
ID: 40359830
Did you allow UDP traffic on port 53 from VPN to your internal DNS? How do your internal clients resolve external adresses?
0
 
LVL 3

Author Comment

by:Winsoup
ID: 40359911
It doesn't have an issue resolving any other internal IP addresses, only the ones in the DMZ. So access to the DNS Servers for VPN is allowed already.
Internal clients resolve external IP addresses using forwarders to our ISP's DNS Servers.
0
 
LVL 6

Expert Comment

by:Matt
ID: 40361201
Do you have for DMZ separated DNS server to resolve hosts in DMZ zone? How do your internal clients resolve hosts in DMZ zone?
0
 
LVL 3

Author Comment

by:Winsoup
ID: 40363614
No I don't have a separate DNS server for the DMZ Zone.
Internal clients cannot resolve host names of DMZ servers but they can resolve the website IP's because I have a reverse lookup zone created in the DNS server and a rule created in the firewall to allow HTTP access for internal clients.

The hostname I'm trying to resolve has a public IP address but when VPN is connected it tries to resolve the internal IP address instead of the public IP address. Is there a way to force it to the public IP so it gets the correct DNS server?
0
 
LVL 39

Expert Comment

by:footech
ID: 40364941
At one point you say that the name resolves to the internal IP, and then at another you say it doesn't.  Which is it?

Pretty sure I've already stated this, but here it is.
If you want the name to be resolved to the public IP, you either have to :
1) use DNS servers that have that info, or
2) use HOSTS files

If the name resolves to the private IP (and will remain that way), then you have to ensure the correct routing info is in place on the client so that traffic destined for the DMZ range is routed over the VPN (since you're using split-tunnel), and also that it will be routed from the VPN server correctly.  Some VPN servers allow you define what networks are routed over the split-tunnel (I can't advise you on the Fortinet).  You can see routing info on Windows with the route print command.
0
 
LVL 3

Accepted Solution

by:
Winsoup earned 0 total points
ID: 40394802
There was another policy that needed to be created in the firewall to allow VPN users to access the DMZ.
Fortinet was able to help with this issue. This can be closed.
Thanks for the replies everyone.
0
 
LVL 3

Author Closing Comment

by:Winsoup
ID: 40404605
Fortinet Support provided the solution.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
TCP Error code:Unable to connect to a banking site 4 41
local DNS vendor. 4 60
Running a 2nd company from the same location 3 43
AD Sites/AD Replication 11 34
One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created. First, WHAT IS GLUE? To understand GLUE, you must first under…
We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question