Using Split Horizon DNS and VPN Issues
-
Long ago, hosting web and email out of your own office was common. But running your own DNS never was. DNS was always something you did externally. But even if you did run DNS internally, which was never considered even remotely a good practice, you would run it on BIND or something else that wasn't your AD. What you show to your internal users and what you show to the outside world are not related. You don't use your Windows AD infrastructure for this. That's for your users, not for the public.
-
We're missing each other here.
The problem I have is:
ServerA (not published to the internet) is on my local network. IP address 172.16.1.1
A domain joined laptop leaves the network and connects to a VPN connection at the office. The VPN gives the laptop an IP of 172.16.100.1, and DNS of ServerA
From the laptop you try to ping ServerA, the reply is the IP address for the wildcard setup on the CloudFlare hosted DNS for our domain.
From the Laptop, you try to ping ServerA.mydomain.com, the reply is the IP address for the wildcard setup on the CloudFlare hosted DNS for our domain.
The client never queried the DNS server on ServerA to get the internal IP.
-
@Dashrender said:
ServerA (not published to the internet) is on my local network. IP address 172.16.1.1
A domain joined laptop leaves the network and connects to a VPN connection at the office. The VPN gives the laptop an IP of 172.16.100.1, and DNS of ServerA
From the laptop you try to ping ServerA, the reply is the IP address for the wildcard setup on the CloudFlare hosted DNS for our domain.
From the Laptop, you try to ping ServerA.mydomain.com, the reply is the IP address for the wildcard setup on the CloudFlare hosted DNS for our domain.
The client never queried the DNS server on ServerA to get the internal IP.
This is a simple DNS issue. The laptop is not resolving to the right DNS server. Why would it hit CloudFlare once it is on the VPN? There is a basic configuration problem going on. If Server A is a DNS server and it set as the DNS server for the laptop when the VPN is on, then it should be handing out the correct IP address. That CloudFlare is getting contacted at all in this scenario means that the normal setup that makes this work has failed.
Split Horizon is not needed, just need DNS resolution to come from Server A and the response to be correct. I've done this a lot, this is a very standard setup.
-
Now I'm completely in the dark - what is split horizon?
And how do I solve the issue where the laptop is querying the wrong server?
-
@Dashrender said:
Now I'm completely in the dark - what is split horizon?
It's what you were making a thread about
-
@Dashrender said:
And how do I solve the issue where the laptop is querying the wrong server?
Diagnostics. Have to figure out where the queries are failing and why. What does nslookup tell us.
-
I guess I'm going to have to take a laptop home try it.
I don't use VPN personally, I use LMI for my remote access.
-
@Dashrender said:
I guess I'm going to have to take a laptop home try it.
Good place to start. Gotta determine what is happening first. See if nslookup is just failing, or if bad data is being returned, if the VPN is not setting DNS properly, etc.
-
What do you expect to happen? That DNS queries should all go to the DNS server provided by the VPN DHCP request?
-
@Dashrender said:
What do you expect to happen? That DNS queries should all go to the DNS server provided by the VPN DHCP request?
That's the hope if it is working correct. The VPN client should set the IP address of the workstation with a VPN address and make the primary DNS entry be one that looks through the VPN to the AD DC / DNS server with internal resolution. If not, why not? If so, what IP gets returned. The right one? Or if the wrong one, why?
