cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6887
Views
0
Helpful
7
Replies

Site-to-Site VPN DNS resolution problem

nick.sharpley
Level 1
Level 1

I'm trying to get my DNS working coirrectly across a site-to-site VPN connection.

My initial problem is I dont seem to cleanly have DNS queries for my VPN LAN go through the tunnel whilst all other queries are resolved out to the web.

I have an improvement on previous setup but still not ideal.

 

WIth the below config I need only specify the router itself via DHCP and all web DNS queries are resolved fine.

But for internal LAN resources I can only resolve names for those explicitly specified below using the ip host command.

I want all DNS queries for domain "suho.local" to go through the tunnel ... what am I missing?

 

ip dhcp pool test1
   network 10.2.200.0 255.255.255.0
   default-router 10.2.200.254
   dns-server 10.2.200.254

ip host files2.suho.local 192.168.10.101
ip host suho.local ns 192.168.10.101
ip host files2 192.168.10.101
ip host treehouse.suho.local 192.168.10.109
ip host treehouse 192.168.10.109
ip name-server 192.168.10.101

 

One puzzling issue is that I can ping these hosts from my Win 7 machine but if I try to ping them from the router I get an unreachable response. Those resources are available and working fine.

Some other relevant config ... I have "ip dns server", "ip domain lookup" ... 

 

Thanks

 

7 Replies 7

dasiimwe
Level 1
Level 1

Have you configured NAT?

Hey Daniel,

 

Yes, basic NAT.   Address translation overall is not a problem unless you're suggesting I need something specific for the VPN traffic.

I have a standard NAT rule plus the rule to protect the VPN traffic from NAT, as per the basic site-to-site VPN setup procedure.

From the config:

ip nat inside source route-map RMAP_1 interface FastEthernet0/1 overload

 

Then the route map:

access-list 100 remark NO NAT VPN TRAFFIC
access-list 100 deny   ip 10.2.200.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 100 permit ip 10.2.200.0 0.0.0.255 any
route-map RMAP_1 permit 1
 match ip address 100

 

nick.sharpley
Level 1
Level 1

Anyone????

Hi Nick,

A few points.

I take it this is a remote site 

don't you have a main DNS server at the main site?

the ip name server command are you using the routers own address again for that?

don't you want to put the domain name in the Ip dhcp pool

ip dhcp pool test1
   network 10.2.200.0 255.255.255.0
   default-router 10.2.200.254
   dns-server 10.2.200.254
 domain-name suho.local
 
lastly when you ping from the router you need to use the correct source-interface.
 
HTH
Richard

Hey Richard,

Ok, good points ... Yes this is a remote site.

Yes there's a DNS server at the main site (three in fact) and sure, I can use those but I dont want DNS for basic web DNS queries to go through the tunnel (slower link) when they can go direct to the ISP DNS serves via the router.

 

Yes, ip name-server is set to the router IP address.

 

domain-name command for DHCP is a good point, I'll add that but surely that is not the resolution.  Or is it?  Does that link to the ip host suho.local ns 192.168.10.101 command so that all domain related DNS goes through the tunnel?

 

This one: "lastly when you ping from the router you need to use the correct source-interface." Can you give me a CL example?

Hi nick,

I have never found having the DNS server at the central site a problem as DNS traffic is not really that much across the vpn, and actual traffic to the internet goes out the local connection.

I think as far as the Domain name is concerned its for the client so that a client device is in that domain. so connecting to a local server they can just address the server name do not have to use the fully qualified address.

thinking about pinging from the router by default the router will use the interface that is closest to the destination. So depends on whether your VPN tunnels were up or not.

I would try a couple of things from the router, if not work go to next step

1) try ping the host name

2) try pinging the host IP address

3) try pinging Ip address with source inside Interface ( ping xx.xx.xx.xx source gi 0/0)

4)  try pinging Ip address with source inside Ip address (ping xx.xx.xx.xx source yy.yy.yy.yy)

regards

Richard.

Hi Richard,

The PING from the router worked with your suggestions, thanks.

I'm looking at setting up a local DC/DNS server ... that will resolve the issue.

Review Cisco Networking for a $25 gift card