No announcement yet.

1841 Site-to-Site VPN DNS Issues

  • Filter
  • Time
  • Show
Clear All
new posts

  • 1841 Site-to-Site VPN DNS Issues

    I'm trying to get my DNS working correctly across a site-to-site VPN connection.
    My initial problem is I dont seem to cleanly have DNS queries for my VPN LAN go through the tunnel whilst all other queries are resolved out to the web.

    WIth the below config I need only specify the router itself via DHCP and all web DNS queries are resolved fine.
    But for internal LAN resources I can only resolve names for those explicitly specified below using the ip host command.

    Even if I specify ip name-server and point to the internal DNS servers I still cannot resolve the names.

    The only way I can resolve the names is if I specify the internal DNS server(s) in the DHCP lease. But then ALL DNS queries go through the tunnel and that cannot be the right way to do it.

    I want all DNS queries for domain "suho.local" to go through the tunnel ... what am I missing?

    ip dhcp pool test1

    ip host files2.suho.local
    ip host suho.local ns
    ip host files2
    ip host treehouse.suho.local
    ip host treehouse
    ip name-server

    One puzzling issue is that I can ping these hosts from my Win 7 machine but if I try to ping them from the router I get an unreachable response. Those resources are available and working fine.
    Some other relevant config ... I have "ip dns server", "ip domain lookup" ...


  • #2
    Set up Conditional Forwarders on the local DNS server that direct all DNS queries for the suho.local domain to the suho.local DNS servers.


    • #3
      Moderator is right on the money. You need to set up conditional forwarding in your case. I have the same setup with site-to-site vpn that I need to resolve host names on the other end of the tunnel.
      Here is your possible config:

      ip dns view suho.local_dns
      dns forwarder
      ip dns view default
      dns forwarder
      ip dns view-list conditional
      view suho.local_dns 11
      restrict name-group 2
      view default 99

      You will have to use FQDN of your hosts on the other side of the tunnel in order for resolution to work of course. Host names without domain prefix will not do it. Unless you enter them manually with ip host command, but that would nullify the whole conditional forwarding you are trying to achieve)
      Last edited by sash11; 11th November 2015, 14:37.