Split DNS over a site to site VPN?

Unanswered Question
Apr 30th, 2010
User Badges:

Hello,


I have a remote office that has an 871W and that's using a site-to-site VPN to an ASA 5505.  Currently all DNS traffic is going to the main office for resolution.  Is it possible to configure a split DNS so internal lookups continue across the VPN, but external requests use the remote office ISP?


I do have split tunneling enabled, but I can't figure out how to split the DNS.


Thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Fri, 04/30/2010 - 17:30
User Badges:
  • Green, 3000 points or more

Hi,


I've done this in the ASA or Concentrator.
On the ASA you have the option to configure split-dns in environments with split tunneling.
You go under the group-policy to configure the list of domains to be resolved through the
split tunneling.


group-policy sales attributes
split-dns value example.com


I've never done it in IOS routers, but it seems that it can be done.


Hope this link helps:

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htspldns.html


Federico.

kgreenway Sun, 05/02/2010 - 13:15
User Badges:

Hi,


I have been trying to get the same feature working and at last succeeded.  I've posted my config below which was added on an 877W, so should be good for you in your scenario too.


ACL 101 is my inbound ACL against Dialer0 interface.


Thanks,


Kevin


interface BVI1
ip dns view-group mycomp_viewlist


ip dns view  mycomp
domain name-server  192.168.1.x
domain name-server   192.168.1.x
dns forwarder 192.168.1.x
dns forwarder 192.168.1.x
dns forwarding source-interface BVI1
ip dns view default
domain  name-server  212.x.x.x
domain name-server  212.x.x.x
dns  forwarder 212.x.x.x
dns forwarder 212.x.x.x
dns forwarding  source-interface BVI1
ip dns view-list default
ip dns view-list  mycomp_viewlist
view mycomp 5
  restrict name-group 10
view  default 10
ip dns name-list 10 permit .*.mycomp.CO.UK
ip dns  server


access-list  101 permit udp host 212.x.x.x eq domain any gt 1023
access-list 101  permit udp host 212.x.x.x eq domain any gt 1023

Actions

This Discussion