Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 10 replies
  • Subscribers 28 subscribers
  • Views 25897 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

vpn dns not working

ZaneDonaldson

I have created an L2TP connection.

 

the connection is being made and the user is authenticating. 

 

After connecting, I can ping internal and internet resources by address.  I can ping internet resources by name, but not internal. 

 

I have added the internal DNS settings on the System > VPN > L2TP page on the appliance. 

 

I would venture to guess the firewall policy is correct because I can ping internal items by address.

 

Any advice on what else to check would be greatly appreciated



This thread was automatically locked due to age.
Parents
  • 0

    Were you able to resolve this? I am having the same issue.

    DNS servers are assigned to the client but I can't resolve hostnames even when using nslookup and fqdn

    DNS device access is enabled, even though I'm not using the XG for DNS anyway, and I have a policy to allow full access from the VPN Zone and L2TP IP range. 

     

    I can ping the DNS servers and access http and file servers across the VPN no problem so I know the connection and policy is working, just no DNS.

    FYI I am using the builtin Windows 10 VPN client which I need to support network sign-on to connect the VPN before logon occurs.

  • 0 in reply to Matt Hamilton

    Matt,

    make sure you have filled the DNS field inside VPN > Show VPN settings > L2TP.  So if your domain name is test.local, ping using webserver.test.local.

    Regards

  • 0 in reply to lferrara

    Yes, the internal DNS servers are configured under the L2TP VPN settings.

     

    I am unable to resolve internal hosts using the internal DNS servers through the VPN, either by pinging an internal FQDN hostname, or testing using NSLOOKUP and specifying he internal DNS server.

    Other services are working fine - why is DNS being blocked, Nothing is appearing in the firewall logs?

  • 0 in reply to Matt Hamilton

    Matt,

    check on client side if you are using Internal DNS as DNS servers and use wireshark to understand where the udp 53 traffic goes.

    Use tcpdump "port 53" from XG console and see if the requests are coming from the VPN clients.

    Regards

  • 0 in reply to lferrara

    Wireshark shows nothing but the ESP traffic so the requests are going through the VPN tunnel.

     

    The tcpdump shows that the requests are reaching the DNS server but  the NSLlokup times out for internal hostnames.

    console> tcpdump "port 53 and host 192.168.3.151"
    tcpdump: Starting Packet Dump
    02:56:18.034919 ppp0, IN: IP 192.168.3.151.54231 > 192.168.1.11.53: 7+ A? rlbfile.riderhunt.local. (41)
    02:56:18.035272 Port1, OUT: IP 192.168.3.151.54231 > 192.168.1.11.53: 7+ A? rlbfile.riderhunt.local. (41)
    02:56:18.035571 Port1, IN: IP 192.168.1.11.53 > 192.168.3.151.54231: 7* 2/0/0[|domain]
    02:56:18.035726 ppp0, OUT: IP 192.168.1.11.53 > 192.168.3.151.54231: 7* 2/0/0[|domain]
    02:56:20.045846 ppp0, IN: IP 192.168.3.151.54239 > 192.168.1.11.53: 8+ AAAA? rlbfile.riderhunt.local. (41)
    02:56:20.047090 Port1, OUT: IP 192.168.3.151.54239 > 192.168.1.11.53: 8+ AAAA? rlbfile.riderhunt.local. (41)
    02:56:20.047529 Port1, IN: IP 192.168.1.11.53 > 192.168.3.151.54239: 8* 0/1/0 (96)
    02:56:20.047765 ppp0, OUT: IP 192.168.1.11.53 > 192.168.3.151.54239: 8* 0/1/0 (96)
    02:56:20.071332 ppp0, IN: IP 192.168.3.151.54240 > 192.168.1.11.53: 9+ A? rlbfile.riderhunt.local. (41)
    02:56:20.071685 Port1, OUT: IP 192.168.3.151.54240 > 192.168.1.11.53: 9+ A? rlbfile.riderhunt.local. (41)
    02:56:20.072107 Port1, IN: IP 192.168.1.11.53 > 192.168.3.151.54240: 9* 2/0/0[|domain]
    02:56:20.072308 ppp0, OUT: IP 192.168.1.11.53 > 192.168.3.151.54240: 9* 2/0/0[|domain]
    02:56:22.080637 ppp0, IN: IP 192.168.3.151.54248 > 192.168.1.11.53: 10+ AAAA? rlbfile.riderhunt.local. (41)
    02:56:22.081021 Port1, OUT: IP 192.168.3.151.54248 > 192.168.1.11.53: 10+ AAAA? rlbfile.riderhunt.local. (41)
    02:56:22.081463 Port1, IN: IP 192.168.1.11.53 > 192.168.3.151.54248: 10* 0/1/0 (96)
    02:56:22.081687 ppp0, OUT: IP 192.168.1.11.53 > 192.168.3.151.54248: 10* 0/1/0 (96)

     

    Bizarrely I can resolve an external host name using the internal DNS over the VPN tunnel

    console> tcpdump "port 53 and host 192.168.3.151"
    tcpdump: Starting Packet Dump
    02:58:36.473924 ppp0, IN: IP 192.168.3.151.57968 > 192.168.1.11.53: 11+ A? www.google.com. (32)
    02:58:36.474303 Port1, OUT: IP 192.168.3.151.57968 > 192.168.1.11.53: 11+ A? www.google.com. (32)
    02:58:36.476310 Port1, IN: IP 192.168.1.11.53 > 192.168.3.151.57968: 11 1/0/0 A 216.58.200.100 (48)
    02:58:36.476470 ppp0, OUT: IP 192.168.1.11.53 > 192.168.3.151.57968: 11 1/0/0 A 216.58.200.100 (48)
    02:58:36.500110 ppp0, IN: IP 192.168.3.151.57969 > 192.168.1.11.53: 12+ AAAA? www.google.com. (32)
    02:58:36.500675 Port1, OUT: IP 192.168.3.151.57969 > 192.168.1.11.53: 12+ AAAA? www.google.com. (32)
    02:58:36.502558 Port1, IN: IP 192.168.1.11.53 > 192.168.3.151.57969: 12 1/0/0 AAAA[|domain]
    02:58:36.503046 ppp0, OUT: IP 192.168.1.11.53 > 192.168.3.151.57969: 12 1/0/0 AAAA[|domain]

     

    I have confirmed that the internal DNS is working fine from an internal host for internal hostnames so I'm totally stumped now.

    It is also fine for other networks routing through the XG including multiple IPSEC SIte-Site tunnels and the Wifi VLANs

  • 0 in reply to Matt Hamilton

    Matt,

    make sure that no traffic is blocked on Firewall logs.

    Did you configure the DNS request routing inside Network > DNS ?

    Regards

  • 0 in reply to lferrara

    No, nothing is being blocked in the firewall logs, I can see the DNS traffic being allowed from the client to the DNS server.

    I have tried adding a DNS request route but it has made no difference, I'm not using the XG for DNS so I wouldn't have expected it to.

    I am simply trying to connect to a DNS server through the L2TP tunnel and getting different results than when I connect from the LAN or other network zone.

Reply
  • 0 in reply to lferrara

    No, nothing is being blocked in the firewall logs, I can see the DNS traffic being allowed from the client to the DNS server.

    I have tried adding a DNS request route but it has made no difference, I'm not using the XG for DNS so I wouldn't have expected it to.

    I am simply trying to connect to a DNS server through the L2TP tunnel and getting different results than when I connect from the LAN or other network zone.

Children
  • 0 in reply to Matt Hamilton

    I have done some more testing and if anything am more confused now.

    I can use the internal DNS in the XG if I NSLOOKUP to the LAN interface IP but still can't resolve internal DNS when using a DNS request route in place for the internal domain name to the internal DNS servers.

     

    What I have found is that I can resolve CNAME and NS records from the internal DNS over the L2TP tunnel but not A records which time out.

    A record - time out

    > rlbfile.riderhunt.local
    Server: [192.168.1.8]
    Address: 192.168.1.8

    DNS request timed out.
    timeout was 2 seconds.
    DNS request timed out.
    timeout was 2 seconds.
    *** Request to [192.168.1.8] timed-out

     

    CNAME record - OK

    > remote.riderhunt.local
    Server: [192.168.1.8]
    Address: 192.168.1.8

    Name: rlbts.riderhunt.local
    Address: 192.168.1.9
    Aliases: remote.riderhunt.local

     

    Why is the XG breaking the A record lookups?