DNS issue with web authentication on guest network

Mitchell Theriot · ‎09-11-2013

We have a branch office that we would like to setup a guest network at. We would like to use flexconnect for local switching being that the branch has a local internet service. Our plan is to setup a non-routable VLAN that will on have internet access so that it does not have access to internal corporate resources. To do this we were planning on using external dns such as 8.8.8.8. The issue I have ran into is by doing this the client can no longer resolve the dns name for the virtual interface used for web authentication. We would need them to be able to resolve guestwlan to 1.1.1.1. How are others handling this? Our security team does not want us giving access to any internal dns servers and there is not a dmz at the location. It is a rather small branch. Any ideas?

grabonlee · ‎09-11-2013

The dns request to 8.8.8.8 has to be routed to the Internet as it's external and the only possible way would be for the firewall to allow the requests from the guest subnet to the external DNS. So I advise u speak to your firewall person.

Sent from Cisco Technical Support Android App

Stephen Rodriguez · ‎09-11-2013

if you configured a name under the Virtual Interface, then you would need to use an DNS server that is under your administrative control to be able to resolve the address.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Mitchell Theriot · ‎09-11-2013

Yes I configured a name under the Virtual Interface that is guestwlan.ourdomain.com. What we ended up doing is going on our public dns server hosted on the internet and putting an A record in that resolves guestwlan.ourdomain.com to 1.1.1.1. It replicated across the internet so now even using the 8.8.8.8 dns server it is able to resolve the name guestwlan.ourdomain.com to 1.1.1.1 and the web authentication page is rendered. Osita to address your concern we are allowing udp 53 access to the internet on the firewall for the guest network for external dns.

Stephen Rodriguez · ‎09-11-2013

you might want to look into changing that. IANA gave out the 1.x/8 address space. And of course, anyone else that did the same thing, could cause you guys conflicts if they update the A record for that IP address.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Mitchell Theriot · ‎09-11-2013

would it cause a conflict being that it is specific to our domain space? We thought about that but were thinking that it uses ourdoman.com this would not be an issue. Thoughts?

Stephen Rodriguez · ‎09-11-2013

more referring to the owners of 1.x getting your records removed

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Mitchell Theriot · ‎09-11-2013

I see what you are saying. I am thinking the only way around this is to allow the guest vlan access to one of our internal dns servers with only udp port 53 and putting the A record on that server.

Stephen Rodriguez · ‎09-11-2013

if you have DNS servers in the DMZ/Internet, you can give them that address to use

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

noelmulryan · ‎09-11-2013

.

Mitchell Theriot · ‎09-11-2013

That makes sense. So I would just need to re-address my virtual interface to something other than a public IP such as the one you have suggested. Then I can add it back to my public dns record correct?

Mitchell Theriot · ‎09-11-2013

I assume there are no conflicts or issues with creating public dns records pointing to that 192.0.2.0/24 network?

noelmulryan · ‎09-11-2013

Yes, that is what you do. No, there are no issues with creating A records with that subnet.