Large number of DNS entries in syslogs from VPN users

schurch · ‎02-13-2003

Hello,

wondering if anyone has run into this before on their PIX firewalls. Our VPN users use a windows 2000 VPN system. Our syslogs are overrun with errors similar to the following:

No translation group found for udp src dmz:10.1.3.6/2803 dst outside:216.12.255.2/53

In this case, 10.1.3.6 represents a VPN client and from these logs it appears they are trying to reach their ISP's DNS server. What seems to happen is that 10-14 of these errors wil appear in a 10-20 sec interval of time and then they will keep reoccurring every 5, 10, 20 mins.

Under the VPn profile, we can deselect the option of "use default gateway on remote network", which will force the VPN clients to send these DNS requests over their ISPs network. This is a band aid for the problem, because we are not getting to the root of the problem of where these DNS requests are coming from. Also, by deselecting this option, it can lead to potential security problems in itself.

Any idea what could be causing so many DNS requests from these clients?

Thanks,

Simon

0rsnaric · ‎02-14-2003

Are you assigning an internal DNS server to your VPN clients when they connect? Does the DNS server send any unresolvable lookups to an external DNS server capable of resolving the lookup? If not this would cause these log entries.

Sounds like your clients are trying to resolve host names and this isn't happening through the VPN configured DNS server (assuming there even is one.) The DNS request is then being passed to another configured DNS server (either a static entry on their IP stack or a dynamically assinged one from their ISP). And even though the configured DNS server is external it still gets passed to the default gateway which has become the VPN tunnel. The PIX gets this packet and wants to pass it outside but there is no translation allowing it. And, in fact, the PIX will not pass traffic recieved on an interface back out the same interface.

Rick