resolve DNS over IPsec

Allgemeine Fragen zu Problemen. Keine Fehlerberichte oder Feature-Anfragen

Moderator: Securepoint

Antworten
valmon4
Beiträge: 4
Registriert: Do 15.07.2021, 15:33

resolve DNS over IPsec

Beitrag von valmon4 »

Hello all.

I have a DNS problem with my UTM (v 11.8) setup & IPsec VPN.
There is an IPsec connection between site A (UTM) and site B (domain = name_pro).
Default DNS server defined in UTM is 127.0.0.1 and we have 2 DNS forwarding server: 8.8.8.8 & 1.1.1.1.
In menu app > nameserver I have define one relay zone, for name_pro domain & internal IP for site B gateway.
Problem: from a PC situated in site A network range I can't resolve the domain from site B.
nslookup name_pro
    Server:  UnKnown
    Address:  192.168.x.y
    DNS request timed out.
        timeout was 2 seconds.
    DNS request timed out.
        timeout was 2 seconds.
     *** Zeitüberschreitung bei Anforderung an UnKnown.
All other domain can be resolved.
from UTM > network tools > host:
     Using domain server:
     Name: 127.0.0.1
     Address: 127.0.0.1#53
     Aliases:
     Host name_pro not found: 2(SERVFAIL)

Following one guide find in this forum I try to define a network object: name_object; zone: vpn-ipsec;
address: network range for site B; eth0 (public IP).
After that, in portfilter, I activated this rule:
external-interface <> ziel: name_object <> dienst: domain-udp <> NAT Typ: HIDENAT <> Netzwerkobject: internal-interface;

Can someone tell me, please, what it's wrong in this configuration or what must be added to correct resolve domain from site B?

Thank you very much!

Benutzeravatar
Mario
Securepoint
Beiträge: 935
Registriert: Mi 04.04.2007, 10:47
Wohnort: Bäckerei

Beitrag von Mario »

The problem is that the firewall will create a request via the external interface, where your default route is pointing to. So it won't ever go into the tunnel, because there is no SA configured to match for this packet.

There have to be specific rules for this to work. For example:

First, you need to create a network object for your remote ipsec network. Instead of using the zone "vpn-ipsec" for this object, you have to use "external".
Then you have to create a portfilte rule like this:

external interface >> ipsec remotenet (zone external) | service: "dns" or maybe "windows domain"  | HIDENAT "internal interface"

Maybe it is neccessary the edit the internal interface object. Instead of using the interface in this object, use the interface ip with a /32 mask. This will only work if the internal interface is configured in the IPSEC-SA, of course.
Mit freundlichen Grüßen

Mario Rhein
Support
Tel. 04131/2401-0
Fax 04131/2401-50

Securepoint GmbH
Blecker Landstr. 28
D-21337 Lüneburg
https://www.securepoint.de

Benutzeravatar
Mario
Securepoint
Beiträge: 935
Registriert: Mi 04.04.2007, 10:47
Wohnort: Bäckerei

Beitrag von Mario »

Edit!
Mit freundlichen Grüßen

Mario Rhein
Support
Tel. 04131/2401-0
Fax 04131/2401-50

Securepoint GmbH
Blecker Landstr. 28
D-21337 Lüneburg
https://www.securepoint.de

valmon4
Beiträge: 4
Registriert: Do 15.07.2021, 15:33

Beitrag von valmon4 »

Thanks for the information.
To clarify, if I must define something like this, it's ok?
1. create a network object for remote ipsec network ..
eg: name=network-remote ; zone=external; adresse: public IP of remote ipsec network or internal network range?; schnittstelle: eth0 (public IP on site)
2. portfilter rule:
external-interface <> network-remote <> dns <> HIDENAT <> internal-interface

Thank you!

Benutzeravatar
Mario
Securepoint
Beiträge: 935
Registriert: Mi 04.04.2007, 10:47
Wohnort: Bäckerei

Beitrag von Mario »

Yes, that should work
Mit freundlichen Grüßen

Mario Rhein
Support
Tel. 04131/2401-0
Fax 04131/2401-50

Securepoint GmbH
Blecker Landstr. 28
D-21337 Lüneburg
https://www.securepoint.de

valmon4
Beiträge: 4
Registriert: Do 15.07.2021, 15:33

Beitrag von valmon4 »

Hello again.

I have made some small steps but no way to make resolve DNS work over IPSec connection. Probably it's a small thing to change but I can't figure out what this can be...
It's a possibility to communicate with you in private, for a better understanding to the problem.

Thank you!

Benutzeravatar
Mario
Securepoint
Beiträge: 935
Registriert: Mi 04.04.2007, 10:47
Wohnort: Bäckerei

Beitrag von Mario »

We have a wiki page. https://wiki.securepoint.de/UTM/VPN/DNS_Relay


In the wiki, the zone is vpn-ipsec. Try it, but if i remeber correctly its on external, not vpn-ipsec at that moment
Mit freundlichen Grüßen

Mario Rhein
Support
Tel. 04131/2401-0
Fax 04131/2401-50

Securepoint GmbH
Blecker Landstr. 28
D-21337 Lüneburg
https://www.securepoint.de

Antworten