This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site-to-site VPN - DNS request problem

Hello,

I have a UTM9 firewall and we have a site-to-site IPsec VPN connection set with a distant site.

In the site-to-site VPN -> IPsec -> remote gateways, all the networks & servers are set correctly including our distant DNS server (all servers here should be reachable through dev.example.com)
In the site-to-site VPN -> IPsec -> Connections, the connection is enabled and we have our SNAT address host set in local networks.

In Network protection -> NAT, we have a SNAT rule set so for anybody trying to access one of the networks set in the remote gateways of this IPsec tunnel, the source IP will be translated to the SNAT address host set in the IPsec -> connections.

What we want to achieve: instead of using IP to reach distant servers, we want everybody to be able to join the servers through the domain dev.example.com.

It works if we set a static host entry in Network definitions and add the domain in the DNS settings, we can access our server.
This would be good enough if we only had a few entries.
The problem is we have hundred of branches created (all pointing to the same server IP) so we can't add the hostnames manually each time (even more since those branches URL are generated with a random string).
Example. a.b.dev.example.com, b.c.dev.example.com, etc

We have a distant DNS server on the distant site that should be able to resolve the DNS requests for dev.example.com, the problem is it doesn't work.
We tried to set DNS -> request routing and set the distant DNS server, it doesn't work.
We tried to set the distant DNS server in DNS-> forwarders, it also doesn't work.

We don't have a DC/AD on our internal network, so we want to rely on the UTM to resolve those DNS requests over the site-to-site VPN (or to delegate the DNS requests on this site-to-site to the distant DNS server that is reachable through the VPN).

Is it possible?

Best,

Ely




This thread was automatically locked due to age.
Parents
  • Hello Ely,

    can you show us a screenshot how you setup DNS request routing? This works very well for us at several customer sites, so there must be a problem with your config.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Thank you so much for offering your help, Philipp!

    Here is a screenshot of the DNS request entry for this a.dev.example.com (changed for privacy reasons).
    The target server is set as an host with the IP address of the distant DNS server (which is reachable through the VPN)



    If we set a static entry, it works.





    Also, for your additional question: the SNAT address host we use in our SNAT rule is also in the allowed networks of DNS-> General


  • What happens, when you go to "Support/Tools/DNS Lookup" with DNS request rotuing in place AND using one of the hostnames at remote site?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • These screenshots are rather senseless.

    If you want, PM me with the "real screenshots".

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Thank you Philipp, I sent you a friend request!

    Best,

    Ely

Reply Children
No Data