Configuring split DNS over site to site VPN
Description
Split DNS is an enhancement that allows you to configure a set of servers and associate them to a given domain name (which can be a wildcard). When SonicOS/X DNS Proxy receives a query that matches the domain name, the name is transmitted to the designated DNS server.
This can be achieved over Site to Site VPN policy for remote users where DNS server is on the main site.
Network Topology
Site A
- TZ 570
- DNS server : 192.168.5.100
Site B
- TZ 670
NOTE: This is only going to work for Tunnel interface VPN since we get to select the VPN interface in the Split DNS |Local interface.
Resolution
Resolution for SonicOS 7.X
This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.
- To configure a Site to Site VPN [Tunnel interface mode, IKEv1 or IKEv2], please follow this article:How can I configure a tunnel interface VPN (Route-Based VPN)?
- On TZ 670, we configure DNS server as below
Navigate to Network|DNS|Settings|Split DNS and select Local Interface as that “VPN interface”
- Enable Proxy DNS on TZ 670 firewall
Navigate DNS|DNS Proxy| Enable “Enforce DNS Proxy”
- Additionally, we need to add DNS rule on TZ 670.
- On TZ 570 side, We need one VPN|LAN rule to allow all the DNS queries
Navigate to Policy| Rules and Policies|Access rules| VPN|LAN
HOW TO TEST:
We can test this by pinging any subdomain, like abc.acme.local from TZ 670 side.
Below is the packet capture for successful response and that the query is forwarded to TZ 570.