Hello all.
I have a DNS problem with my UTM (v 11. setup & IPsec VPN.
There is an IPsec connection between site A (UTM) and site B (domain = name_pro).
Default DNS server defined in UTM is 127.0.0.1 and we have 2 DNS forwarding server: 8.8.8.8 & 1.1.1.1.
In menu app > nameserver I have define one relay zone, for name_pro domain & internal IP for site B gateway.
Problem: from a PC situated in site A network range I can't resolve the domain from site B.
nslookup name_pro
Server: UnKnown
Address: 192.168.x.y
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Zeitüberschreitung bei Anforderung an UnKnown.
All other domain can be resolved.
from UTM > network tools > host:
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:
Host name_pro not found: 2(SERVFAIL)
Following one guide find in this forum I try to define a network object: name_object; zone: vpn-ipsec;
address: network range for site B; eth0 (public IP).
After that, in portfilter, I activated this rule:
external-interface <> ziel: name_object <> dienst: domain-udp <> NAT Typ: HIDENAT <> Netzwerkobject: internal-interface;
Can someone tell me, please, what it's wrong in this configuration or what must be added to correct resolve domain from site B?
Thank you very much!
resolve DNS over IPsec
Moderator: Securepoint
The problem is that the firewall will create a request via the external interface, where your default route is pointing to. So it won't ever go into the tunnel, because there is no SA configured to match for this packet.
There have to be specific rules for this to work. For example:
First, you need to create a network object for your remote ipsec network. Instead of using the zone "vpn-ipsec" for this object, you have to use "external".
Then you have to create a portfilte rule like this:
external interface >> ipsec remotenet (zone external) | service: "dns" or maybe "windows domain" | HIDENAT "internal interface"
Maybe it is neccessary the edit the internal interface object. Instead of using the interface in this object, use the interface ip with a /32 mask. This will only work if the internal interface is configured in the IPSEC-SA, of course.
There have to be specific rules for this to work. For example:
First, you need to create a network object for your remote ipsec network. Instead of using the zone "vpn-ipsec" for this object, you have to use "external".
Then you have to create a portfilte rule like this:
external interface >> ipsec remotenet (zone external) | service: "dns" or maybe "windows domain" | HIDENAT "internal interface"
Maybe it is neccessary the edit the internal interface object. Instead of using the interface in this object, use the interface ip with a /32 mask. This will only work if the internal interface is configured in the IPSEC-SA, of course.
Mit freundlichen Grüßen
Mario Rhein
Support
Tel. 04131/2401-0
Fax 04131/2401-50
Securepoint GmbH
Blecker Landstr. 28
D-21337 Lüneburg
https://www.securepoint.de
Mario Rhein
Support
Tel. 04131/2401-0
Fax 04131/2401-50
Securepoint GmbH
Blecker Landstr. 28
D-21337 Lüneburg
https://www.securepoint.de
Edit!
Mit freundlichen Grüßen
Mario Rhein
Support
Tel. 04131/2401-0
Fax 04131/2401-50
Securepoint GmbH
Blecker Landstr. 28
D-21337 Lüneburg
https://www.securepoint.de
Mario Rhein
Support
Tel. 04131/2401-0
Fax 04131/2401-50
Securepoint GmbH
Blecker Landstr. 28
D-21337 Lüneburg
https://www.securepoint.de
Thanks for the information.
To clarify, if I must define something like this, it's ok?
1. create a network object for remote ipsec network ..
eg: name=network-remote ; zone=external; adresse: public IP of remote ipsec network or internal network range?; schnittstelle: eth0 (public IP on site)
2. portfilter rule:
external-interface <> network-remote <> dns <> HIDENAT <> internal-interface
Thank you!
To clarify, if I must define something like this, it's ok?
1. create a network object for remote ipsec network ..
eg: name=network-remote ; zone=external; adresse: public IP of remote ipsec network or internal network range?; schnittstelle: eth0 (public IP on site)
2. portfilter rule:
external-interface <> network-remote <> dns <> HIDENAT <> internal-interface
Thank you!
Yes, that should work
Mit freundlichen Grüßen
Mario Rhein
Support
Tel. 04131/2401-0
Fax 04131/2401-50
Securepoint GmbH
Blecker Landstr. 28
D-21337 Lüneburg
https://www.securepoint.de
Mario Rhein
Support
Tel. 04131/2401-0
Fax 04131/2401-50
Securepoint GmbH
Blecker Landstr. 28
D-21337 Lüneburg
https://www.securepoint.de
Hello again.
I have made some small steps but no way to make resolve DNS work over IPSec connection. Probably it's a small thing to change but I can't figure out what this can be...
It's a possibility to communicate with you in private, for a better understanding to the problem.
Thank you!
I have made some small steps but no way to make resolve DNS work over IPSec connection. Probably it's a small thing to change but I can't figure out what this can be...
It's a possibility to communicate with you in private, for a better understanding to the problem.
Thank you!
We have a wiki page. https://wiki.securepoint.de/UTM/VPN/DNS_Relay
In the wiki, the zone is vpn-ipsec. Try it, but if i remeber correctly its on external, not vpn-ipsec at that moment
In the wiki, the zone is vpn-ipsec. Try it, but if i remeber correctly its on external, not vpn-ipsec at that moment
Mit freundlichen Grüßen
Mario Rhein
Support
Tel. 04131/2401-0
Fax 04131/2401-50
Securepoint GmbH
Blecker Landstr. 28
D-21337 Lüneburg
https://www.securepoint.de
Mario Rhein
Support
Tel. 04131/2401-0
Fax 04131/2401-50
Securepoint GmbH
Blecker Landstr. 28
D-21337 Lüneburg
https://www.securepoint.de