DNS over site to site vpn
Posted by DRZookX2000@reddit | sysadmin | View on Reddit | 31 comments
I need a sanity check here...
I have a local site with AD integrated DNS - Everything works.
I have a remote site that needs to use the local DNS servers. VPN works, remote DHCP is setting the DNS on the clients as the local servers. Clients int he remote site can ping the local dns servers. when I do a nslookup, the "server" is unknown but the IP address is correct. I can resolve google.com or any other external addresses, however I can't resolve anything in my zones. I have tried "host" and "host.domain.com" but both fail with "non existent domain. What am I missing here?
Thanks in advance
Fickle_Net_9291@reddit
Looks like a subnet or zone overlap issue, DNS probably treated that range as external for some reason
Gumbyohson@reddit
You should look into Get-DnsClientNrptPolicy
DarkAlman@reddit
Usually when I see issues like this, the problem is the DNS Suffix isn't set on the VPN. So when a machine looks up a NETBIOS name like DC01 it doesn't automatically append the domain to make it DC01.domain.local like it should.
Is that subnet already in use somewhere else on the network?
DRZookX2000@reddit (OP)
Suffix is set fine and gets appended.
The subnet is not used, but used to be about 6 years ago. Long gone and nothing was left besides the subnet in AD
DarkAlman@reddit
There might be something else buried in the network somewhere.
But if its working on a different subnet, just leave it.
DRZookX2000@reddit (OP)
UPDATE, I did a pcap on a client in the remote network. It looks like the local dns servers are treating this as a external lookup and forwarding it to cloudflare (as expected for a external lookup).
The destination server is correct on the query (local address), the query is correctly appending the domain name but the SOA is coming back from cloudflare.
Why is the local DNS forwarding this request?
alphaxion@reddit
You'd need to check the settings on your AD DNS server.
Out there question: is there a typo in your search domain setting on your DHCP server or when you're manually typing the FQDN when doing an nslookup causing it to not match with the zone on the AD DNS server?
DRZookX2000@reddit (OP)
Checked for typos a few times now, both the host and domain part are good.
What settings on the dns server could I check? The zone is there, it is working fine for the local subnet and I have in-addr zones for it.
alphaxion@reddit
Right click the server and check its settings. Right click the zone and check those for anything that looks like it might be a problem.
Something you could do is create another root zone in there for testing purposes and create a dummy A record to see if that resolves correctly. If it does, then there's something off with your original root zone and you'd need to go over every setting to see how it differs.
DRZookX2000@reddit (OP)
I have other zones that are not part of my domain hosted on the dns server too. They also fail in the same way.
alphaxion@reddit
Might be worth turning on DNS event logging to see what your server is doing
https://learn.microsoft.com/en-us/windows-server/networking/dns/dns-logging-and-diagnostics?tabs=desktop-experience
along with looking at your firewall logs on both ends of the tunnel to make sure you can see the traffic and that it's using interfaces you are expecting them to.
You need to get some diagnostic info going to pin this down.
It feels like there's maybe some sort of rule in place on the AD DNS server to only serve requests from specific clients (be it authed or only from a source subnet) somehow or there's something like a DNS Proxy intercepting requests as you're traversing firewalls.
Sroni4967@reddit
split brain dns gets messy fast with site to site
DRZookX2000@reddit (OP)
But why would it care? I have multiply subnets on the local side and DNS still works fine. Why does it just care about this one subnet? The DNS server cant tell it is on the other side of a VPN, can it?
NetworkCanuck@reddit
Sites and Services?
DRZookX2000@reddit (OP)
I have a site and subnet setup. Anyway I can check if this is working?
Vicus_92@reddit
On a workstation, run:
nltest.exe /DSGETSITE
That will report with AD site the device thinks it's in
DRZookX2000@reddit (OP)
On a domain joined laptop I am getting the correct site.
alphaxion@reddit
Isn't Sites and Services more for deciding which AD server you would auth against when you have multiple AD DCs in different subnets?
Vicus_92@reddit
With DHCP on the remote site. Check its deploying your domains FQDN as a DNS Suffix
alphaxion@reddit
Have you taken a look on the firewall logs on both sides to see what is happening across the tunnel? ie can you see the traffic actually traversing the tunnel?
It does sound like you're not querying your AD DNS servers, is DHCP handing out a secondary that isn't your AD DNS?
What happens if you just type nslookup to go into the app, type in server ip.address.of.AD.DNS and then query your FQDN as well as google.com?
DRZookX2000@reddit (OP)
Already tried to force the server on nslookup, fails the same way. No restrictions on who can query the zones.
man__i__love__frogs@reddit
Are the devices in remote site in the same AD, do they have DNS search suffix in their dhcp options or windows config?
DRZookX2000@reddit (OP)
The clients are not on the domain but do have the suffix set.
Zealousideal_Fly8402@reddit
Couple of things, probably. Missing Reverse DNS zone for your remote subnet, and probably a conditional forwarder for your Active Directory domain for the remote-site local DNS server.
DRZookX2000@reddit (OP)
The remote site does not have a DNS server, it needs to use the local sides.
Zealousideal_Fly8402@reddit
Then you're missing the reverse DNS entry for the remote site subnet in your main-site domain controllers.
It's not really the most ideal configuration for productivity; if the remote site firewall supports it, you should use it to resolve internet addresses, and configure a conditional forwarder to handle name resolution for you AD resources across the VPN. That also reduces the number of queries back and forth over the VPN.
That way, if the VPN goes down at least they still have internet access.
DRZookX2000@reddit (OP)
I have a 10.in-addr.arpa that covers the remote subnet of 10.30.0.0
The remote firewall does not support dns forwarders, but even if it did it would not matter as without the vpn the site is down. They don't have access to the internet on this network.
Lilrags16@reddit
Do you have see the same results on that end if you are using 'nslookup google.com'? Almost sounds like you are querying a different DNS server. Any firewall rules that may be causing a headache?
DRZookX2000@reddit (OP)
I thought this too, but forcing the server as above works fine.
hankhalfhead@reddit
Does your local dns server have a reverse dns record? If you ping -a it, does it resolve?
DRZookX2000@reddit (OP)
It does have a reverse but -a fails.