DNS over SSL VPN on a sonicwall NSA2600

I have tried contacting sonicwall support but they are useless so hopefully somebody here can give me a hand.

I have IPSEC VPN working fine, i also have SSL VPN set up.

IPSEC goes to an address of 192.168.20.2-192.168.20.100  with a default gateway of 192.168.20.1  It works great no problems with my DNS

my SSL VPN has IP addresses 192.168.22.100-192.168.22.200   i get an ip address and i can ping my DNS server, however i cant perform lookups.

I log on as the same user for both connections, both zones have full access to and from the zone my servers are in.

When i perform a DNS request on the SSL VPN i can see the packet being forwarded, however i dont get a reply.

I think it has something to do with SSL VPN not having a default gateway where where the IPSEC does, i may be completely off here but sonicwall has decided its not there problem despite us having a support contract. Hopefully somebody can point me in the right direction.
LVL 6
CaptainGibletsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

carlmdCommented:
On the SSL VPN under Client Settings do you have an entry for DNS Server 1 and 2?
0
CaptainGibletsAuthor Commented:
Yep, and they show in the mobile connect app once connected. The requests send as I can see the packets leave my device and go to my DNS server, but they time out, this is why I thought it was something to do with a lack of default gateway.
0
carlmdCommented:
I am assuming you also have an entry for DNS Domain? If not, enter one.

Try enabling NetBIOS over SSLVPN and see if that makes any difference.
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

CaptainGibletsAuthor Commented:
Tried, makes no difference.

All my DNS servers are on subnet 30. I have enabled all traffic to and from 30 to 22.
0
carlmdCommented:
I suspect this has something to do with the way you have Tunnel All Mode set.

I suggest you go to SSLVPN -> Client Routes, and click HELP. Then read the section on Tunnel All mode.
0
CaptainGibletsAuthor Commented:
Tunnel all mode is enabled, the request is being sent to my DNS server, but I am not getting a reply.
0
carlmdCommented:
From the dns server, can you ping the ip address of the remote pc that is connected via the SSLVPN?
0
cef_soothsayerCommented:
Questions:

Can  you ping the DNS server across the VPN from your laptop?
Can  you ping tyour laptop across the VPN from he DNS server?
Does your Laptop DNS settings include the DNS server as the primary DNS provider?
Can you manually do an NSLOOKUP and select the server and properly resolve an internal and external name?

If you can ping the DNS server across the VPN from your laptop, and you can ping your laptop across the VPN from the DNS server, and your Laptop DNS settings include the DNS server as the primary DNS provider, then you have a firewall rule or NAT issue.


Check the FW rules LAN to VPN. are there ay rules that block DNS?
Check the FW rules VPN to LAN are there ay rules that block DNS?
Check the NAT rules.  Are tehre any rules that NAT the DNS ports to another destination or port?

Lastly, try backing up the sonicwall settings and upgrading the firmware.

Thanks.
0
CaptainGibletsAuthor Commented:
It turned out I had to list the domains I wanted to be able to query to a dns suffix list which is a bit weird as it was in tunnel all mode.... It just ignored all replies if you didn't add the suffix.

Added now and working.  Another reason not to buy a sonicwall again... 3rd time their support has told me it's my domains issue wasting a lot of my time.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cef_soothsayerCommented:
Ahhh.  Right.  I had assumed that the laptop was a member of the same domain as the DNS server.  Yes, unmatched DNS suffix issues would do that.

Thanks.
0
CaptainGibletsAuthor Commented:
It's a phone but any machine can query the dns server as long as it uses the fqdn and it can get a connection. Which the phone was so if I pinged server.domain.local but didn't put domain.local in the dns suffix list it would send the request to the dns server but ignore any reply.    If I Sid the same on a laptop that was not a member of the domain it would work fine
0
frankhelkCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Accept: CaptainGiblets (https:#a40999744)

If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

frankhelk
Experts-Exchange Cleanup Volunteer
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.