cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2401
Views
0
Helpful
2
Replies

Split-DNS for Site-to-Site VPN

fieryhail
Level 1
Level 1

I'm running into an issue with Unified Presence Server 7 and CUPC at a remote site.  The two sites are connected via PIX firewalls, one 515E (remote) and 525 (main).  Both run PIXOS 8.0.4.  The S2S VPN is working great, except there is an issue with Unified Personal Communicator getting Presence from the CUPS server at main site.  Normally, hosts at the remote site use a DNS server from their ISP and hosts files for destinations inside the Main site.  The hosts file does not allow Presence or TFTP etc, to function with the CUPC at remote site.  By temporarily chaning the DNS server to our DNS servers at Main site, CUPC works flawlessly, however, in that scenario, ALL DNS related traffic will traverse the VPN, consuming way too much bandwidth.  I've configured Split-DNS on Remote Access configs before, and they work fine (including CUPC).  The only DNS traffic I want to traverse the VPN is DNS requests for hosts inside the protected networks (internal resources).  Any ideas on how to accomplish this?

2 Accepted Solutions

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

Unfortunately, the same split dns feature is not applicable to site-to-site vpn. With remote access vpn, the configuration is pushed from the server towards the client, hence the split dns feature can be pushed to the client. While in site-to-site vpn, there is no configuration that is being pushed from one side to the other.

My recommendation would be to install and configure DNS server locally by replicating the DNS server from your main site, so DNS requests are not being sent through the VPN tunnel but is resolved locally. However, that requires another management for the local DNS server, and replicating the DNS from the main site.

Hope that helps.

View solution in original post

m.kafka
Level 4
Level 4

Hi fieryhail,

Is there any server functionality at the remote site that could accomodate a DNS server? If so, use local DNS instead of the ISP and configure a delegation (I think it's called so, correct me if I'm wrong). If the DNS traffic is really that high it must be quite a big remote site with a good chance of some local servers.

That would also give you a chance to get rid of the host files, which are difficult to maintain and manage.

That's the only solution I can think of for a PIX/ASA Site 2 Site VPN.

Rgds, MiKa

Edit: sorry for the duplicate solution... i'ts been in the post before

View solution in original post

2 Replies 2

Jennifer Halim
Cisco Employee
Cisco Employee

Unfortunately, the same split dns feature is not applicable to site-to-site vpn. With remote access vpn, the configuration is pushed from the server towards the client, hence the split dns feature can be pushed to the client. While in site-to-site vpn, there is no configuration that is being pushed from one side to the other.

My recommendation would be to install and configure DNS server locally by replicating the DNS server from your main site, so DNS requests are not being sent through the VPN tunnel but is resolved locally. However, that requires another management for the local DNS server, and replicating the DNS from the main site.

Hope that helps.

m.kafka
Level 4
Level 4

Hi fieryhail,

Is there any server functionality at the remote site that could accomodate a DNS server? If so, use local DNS instead of the ISP and configure a delegation (I think it's called so, correct me if I'm wrong). If the DNS traffic is really that high it must be quite a big remote site with a good chance of some local servers.

That would also give you a chance to get rid of the host files, which are difficult to maintain and manage.

That's the only solution I can think of for a PIX/ASA Site 2 Site VPN.

Rgds, MiKa

Edit: sorry for the duplicate solution... i'ts been in the post before