Routing Site-to-Site VPN Traffic on same Domain Computers

Question

Currently, I have a Site-to-Site VPN, with split tunnels to specific IP's and networks, setup on both Sophos firewalls and they are working fine. BIGGEST THING TO REMEMBER , the branch office needs to have their computers on our internal Domain. 
 
 The branch office needs to see the DNS server, which it does, but cannot translate names of devices within the VPN without giving the Firewall the DNS server as its primary DNS provider. 
 The problem with the DNS server being the primary provider, is that the internet traffic will be routed through the VPN. 
 
 I need the Internet traffic to be separate from the VPN traffic and still allow for VPN traffic to have DNS resolution. I feel this may be a NAT issue, or possibly a rule/policy problem. I can't seem to get a straight answer anywhere. 
 Any ideas?

AADD · Accepted Answer

Based on your description, your internet traffic is not being routed via the VPN that has the DNS server on it, just the DNS queries. 
 
 Here is how to deal with this issue. Configure your DNS as you normally would using ISP, public, or whatever DNS server you want to use for your Internet DNS queries. Then configure a "DNS request route" with the domain name you need the remote office to query. The target is the DNS server you want for the internal DNS queries. 
 Configuring this will use your standard DNS configuration for all DNS queries, except for the domain you configured the DNS request route.

This is located at Network > DNS then at the bottom of the menu is DNS host entry. 
 The one issue I have found out about this I am uncertain how or why the Sophos uses a particular interface to make the requests to the DNS request route. It seems to choose one randomly, so you may have to do some log or packet captures to determine what interface is making the requests of your DNS server via the VPN. 
 
 Resulting DNS request map.

AADD · Answer

Your first picture with the ping, looks like it's pinging correctly to the host name. 
 Thanks for mentioning the DHCP setting, Uncheck "Use devices DNS settings" and enter your XG's IP address in primary DNS. 
 Refresh your DHCP on the workstation to ensure the DNS is using the XG, not Comcast. 
 
 When packet capturing on the remote XG and only specify your internal DNS IP and port 53. 
 Then ping from workstation to the domain, no host.

Kyle Hesser · Answer

Changing the primary DNS on DHCP to the XG's IP fixed the issue. I can ping hostnames through the VPN. Thank you so much.

AADD · Answer

You are misguided by what DNS does. The traffic does not flow through the DNS server, it just resolves names to IP addresses, and other things. Your still connected to the internet with the VPN down, you just cannot reach your DNS server to resolve names to IP addresses. If you try to connect to a service via IP, it will still work. 
 
 But that isn't really your issue. 
 
 The DNS request route is specific to a domain. It tells the XG to request name resolution for the specified domain from the specified IP address.

Because you mentioned a split DNS scenario for your public domain you may also need to add an additional DNS request route for the public domain or just DNS host entries for specific hosts. 
 
 This is the answer to your question, I use this method at all my locations. 
 Side Note: Your traffic is dictated by your firewall rules, static route and SD-WAN policy routing rules, which doesn't sound like the issue in your description of the issue, as your only changing the DNS setting.

AADD · Answer

The picture I drew for you shows the XG at the remote site with the DNS Request route. DNS request route Domain = internaldomain.local Target = 192.168.1.2 (this is your DNS server for your internaldomain.local domain) 
 
 You don't need to set one up at the main site, if you are happy with your current DNS configuration there. But if you want folks to be able to surf while your DNS server may be down, then you can add the very same DNS request route to the main site as well. 
 
 Please keep in mind that you may have to troubleshoot what XG interface is making the DNS requests to the Internal DNS server and make adjustments to firewall rules and or vpn configurations.

Routing Site-to-Site VPN Traffic on same Domain Computers

Top Replies