Using Split Horizon DNS and VPN Issues



  • FYI, we have a wildcard entry on our external DNS.

    So, for example, I am offsite, VPN'ed into my office (split tunnel VPN). I ping server.domain.com and more often than not I'll get the IP address of the wildcard, not the IP of my internal network via the VPN.

    Now before you tell me I have a mistake in my setup (which I very well may have), just tell me to start a new topic 🙂



  • New topic started, as requested.



  • So the base question is, what is the purpose of serving out different IP addresses to one group of people than you do to another? What is an example of something that you want the external people to see but not the internal people?



  • @scottalanmiller said:

    So the base question is, what is the purpose of serving out different IP addresses to one group of people than you do to another? What is an example of something that you want the external people to see but not the internal people?

    I'm probably reading to much into your question, but it makes me think you think it's OK to publish your AD DNS directly to the internet?

    Here's a situation. You have a locally hosted website. Internally it has one IP, externally it has a different one. DNS should tell us the correct IP based upon where I am.



  • Let's assuming I have registered jokers.com to be used for my website and my email.

    I host my website and email locally.

    My AD domain is jokers.com, so I have local DNS for jokers.com.

    How do you suggest I setup DNS for internal and external access?



  • @Dashrender said:

    Here's a situation. You have a locally hosted website. Internally it has one IP, externally it has a different one. DNS should tell us the correct IP based upon where I am.

    Well...

    • I would never host a website from inside my own network.
    • Why would someone externally be getting the DNS entry for a website from INSIDE your network rather than from an enterprise DNS host elsewhere?


  • Ok Actually I'm not hosting my own website (that was merely an example, but I am hosting my own email... yeah yeah.. I know.. don't.. but I am).

    I never said someone externally was getting the DNS entery for a website from inside my network. I asked, how should that be done?



  • @Dashrender said:

    Let's assuming I have registered jokers.com to be used for my website and my email.

    I host my website and email locally.

    My AD domain is jokers.com, so I have local DNS for jokers.com.

    How do you suggest I setup DNS for internal and external access?

    Same way as you would if you were hosting anywhere. I don't see any relevance to the fact that you are hosting internal. That seems like a red herring here unless I am missing some implied detail.

    You go to an enterprise (but free) DNS hoster like CloudFlare (lots of people use GoDaddy or whatever.) You put your DNS entries there like normal.

    Um... that's it. Just don't use your internal DNS for external users and the issue goes away.



  • Long ago, hosting web and email out of your own office was common. But running your own DNS never was. DNS was always something you did externally. But even if you did run DNS internally, which was never considered even remotely a good practice, you would run it on BIND or something else that wasn't your AD. What you show to your internal users and what you show to the outside world are not related. You don't use your Windows AD infrastructure for this. That's for your users, not for the public.



  • We're missing each other here.

    The problem I have is:

    ServerA (not published to the internet) is on my local network. IP address 172.16.1.1

    A domain joined laptop leaves the network and connects to a VPN connection at the office. The VPN gives the laptop an IP of 172.16.100.1, and DNS of ServerA

    From the laptop you try to ping ServerA, the reply is the IP address for the wildcard setup on the CloudFlare hosted DNS for our domain.

    From the Laptop, you try to ping ServerA.mydomain.com, the reply is the IP address for the wildcard setup on the CloudFlare hosted DNS for our domain.

    The client never queried the DNS server on ServerA to get the internal IP.



  • @Dashrender said:

    ServerA (not published to the internet) is on my local network. IP address 172.16.1.1

    A domain joined laptop leaves the network and connects to a VPN connection at the office. The VPN gives the laptop an IP of 172.16.100.1, and DNS of ServerA

    From the laptop you try to ping ServerA, the reply is the IP address for the wildcard setup on the CloudFlare hosted DNS for our domain.

    From the Laptop, you try to ping ServerA.mydomain.com, the reply is the IP address for the wildcard setup on the CloudFlare hosted DNS for our domain.

    The client never queried the DNS server on ServerA to get the internal IP.

    This is a simple DNS issue. The laptop is not resolving to the right DNS server. Why would it hit CloudFlare once it is on the VPN? There is a basic configuration problem going on. If Server A is a DNS server and it set as the DNS server for the laptop when the VPN is on, then it should be handing out the correct IP address. That CloudFlare is getting contacted at all in this scenario means that the normal setup that makes this work has failed.

    Split Horizon is not needed, just need DNS resolution to come from Server A and the response to be correct. I've done this a lot, this is a very standard setup.



  • Now I'm completely in the dark - what is split horizon?

    And how do I solve the issue where the laptop is querying the wrong server?



  • @Dashrender said:

    Now I'm completely in the dark - what is split horizon?

    It's what you were making a thread about 🙂



  • @Dashrender said:

    And how do I solve the issue where the laptop is querying the wrong server?

    Diagnostics. Have to figure out where the queries are failing and why. What does nslookup tell us.



  • I guess I'm going to have to take a laptop home try it.

    I don't use VPN personally, I use LMI for my remote access.



  • @Dashrender said:

    I guess I'm going to have to take a laptop home try it.

    Good place to start. Gotta determine what is happening first. See if nslookup is just failing, or if bad data is being returned, if the VPN is not setting DNS properly, etc.



  • What do you expect to happen? That DNS queries should all go to the DNS server provided by the VPN DHCP request?



  • @Dashrender said:

    What do you expect to happen? That DNS queries should all go to the DNS server provided by the VPN DHCP request?

    That's the hope if it is working correct. The VPN client should set the IP address of the workstation with a VPN address and make the primary DNS entry be one that looks through the VPN to the AD DC / DNS server with internal resolution. If not, why not? If so, what IP gets returned. The right one? Or if the wrong one, why?


Log in to reply