Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
309
Views
0
Helpful
1
Replies

Weird DNS resolution issue across tunnel

jclark@hdh.org
Level 1
Level 1

‎10-26-2015 02:13 PM

Hello,

 

My issue is a little weird and vague so I will try to be as clear as possible. 

 

I have an ASA 5510 at my main site. 

I have an ASA 5505 at my remote site. 

 

I have a lan to lan tunnel configured that does work and does pass traffic. I can remote desktop, ping, dameware, et al. across the tunnel to and from the remote site. 

 

The issue is DNS resolution. If I reboot a PC at my remote site and let it boot and then login, I have no DNS resolution. I can NSLookup from the command line and that works. I can connecto via IP to everything. However, as soon as I [ ipconfig /flushdns ] fromt he command line of the remote computer all my DNS starts to resolve as expected. IP configuration at the remote site is handled by the 5505 and the primary DNS server for that DHCP configuration is one of my main DNS servers here at the local site. The secondary is an internet DNS server from the ISP. 

 

Can anyone help in determining why this is happening and how i can get DNS resolution to work immediately upon a remote computer booting and the tunnel being brought up?

 

**Updated** After further troubleshooting it appears the [ ipconfig /flushdns ] has nothing to do with it. I am back to thinking it takes a long time for the resolution to "kick in" which is a truly N00b idea... 

Labels:
0 Helpful
1 Reply 1

ArchiTech89
Level 1
Level 1

‎11-04-2015 11:25 AM

Can you post the running config of both? Could it be that the ACL for the tunnel on the remote site doesn't allow the subnet on which the DNS sits? You said you can ping from a PC at the remote site. Can you ping the DNS server specifically? Without further information, I'm wondering if your remote PC is only trying to resolve through the Internet DNS, not the internal zone.

Here's something to try, though. Open ASDM then go to Monitoring | Logging | View. . . (Set at Logging Level: at debugging first, though.)

While you've got that open, try to resolve something through DNS from the PC. If it's an ACL, you might see a deny. But you'll at least get a hint of what's happening. You also might see whether it's going out to the Internet DNS instead of the tunnel.

If it does look like it's going across the tunnel, open logging on the other side of the tunnel, using ASDM again, to see what it's doing when the DNS segments come across.

Finally, if it shows that the UDP 53 segments make it through the firewall and across the tunnel successfully, you can always use Wireshark (or similar) on the DNS server to see what's coming in and whether it's even replying.

ArchiTech89
CCNA Routing & Switching, CCNA Security
MCITP, MCTS
Berlin, Germany
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents