08-25-2010 07:56 AM
Hello,
I'm trying to understand how DNS works with U-turn. I'm looking into configuring VPN tunnel between ASA 5510 (main office) and PIX 506 (remote office).
Currently all workstations in remote office are connected thru VPN tunnel between PIX506 and VPN 3000 concentrator, so they use internal DNS server in main office. I need to use U-turn on ASA to enable remote users to surf the net. With U-turn config, will remote workstation still use DNS server in main office to resolve IP addresses?
thanks
lf
Solved! Go to Solution.
08-26-2010 11:01 AM
Hey Forman,
SplitDNS and Splittunneling are both used with remote access clients. In your case you are trying to configure a site-to-site VPN tunnel, so to "split" the traffic you will use the crypto acl to define interesting traffic for the VPN. This ACL however uses IP addresses to determine whether the traffic should be encrypted or not, hence your DNS lookup would have to happen before the traffic gets encrypted. So either you can define the DNS server for the remote network to be the DNS across the VPN tunnel and ensure that the DNS server's IP address is part of the interesting traffic or you must ensure that the local DNS server is capable of resolving the names.
In the previous case where you are using U-Turning, everything automatically gets tunneled so you don't need to worry about your DNS requests being tunneled.
I hope this explains the behaviour.
Regards,
Atri.
08-25-2010 08:19 AM
yes they would still use the same dns server
08-25-2010 08:28 AM
Ok, thx. Is there a way to use other DNS servers (i.e. OpenDNS) for U turn traffic (web browsing) and use my internal DNS server for production traffic?
08-25-2010 05:10 PM
well that i snot possible because your host does not know how the packet is going to the internet, for the host u turning vpn all this is transparent
08-26-2010 10:22 AM
Ok, I understand. How about the split tunnel? If I'd configure it so only interesting traffic pass thru VPN tunnel and web traffic "splits" at the PIX? How is DNS working in such configuration? Is there a way to use my internal DNS servers (behind ASA) for encrypted traffic and another DNS server for web traffic? I just want to make sure that all of the application will be working internally thru VPN and use external DNS for wen traffic.
thanks again
08-26-2010 11:01 AM
Hey Forman,
SplitDNS and Splittunneling are both used with remote access clients. In your case you are trying to configure a site-to-site VPN tunnel, so to "split" the traffic you will use the crypto acl to define interesting traffic for the VPN. This ACL however uses IP addresses to determine whether the traffic should be encrypted or not, hence your DNS lookup would have to happen before the traffic gets encrypted. So either you can define the DNS server for the remote network to be the DNS across the VPN tunnel and ensure that the DNS server's IP address is part of the interesting traffic or you must ensure that the local DNS server is capable of resolving the names.
In the previous case where you are using U-Turning, everything automatically gets tunneled so you don't need to worry about your DNS requests being tunneled.
I hope this explains the behaviour.
Regards,
Atri.
08-26-2010 11:49 AM
Thanks Atri for explaining this.
forman
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide