Jump to content


Photo

TINA Tunnel DNS issue

vpn ipsec dns

  • Please log in to reply
9 replies to this topic

#1 Ivar Refsdal

Ivar Refsdal
  • Members
  • 5 posts

Posted 23 August 2016 - 06:36 AM

Hi.
I have set up a TINA tunnel between our primary site and a new site. Hardware is the NG 280F in both ends. Primary site is running our domain controllers. I can ping the ip-addresses between locations, but dns isn't working, so i can not get the computers at the new site to join the domain. I have been fiddling around with the dns settings for hours, but i can not get it to work. Can someone please help me with the details of how this should be set up.



#2 Gavin Chappell

Gavin Chappell
  • Moderators
  • 412 posts
  • LocationNottingham, UK

Posted 23 August 2016 - 07:17 AM

What DNS server is configured on your clients? Do you use the domain controller, or do you use the DNS service (or caching DNS) on the NG itself?



#3 Ivar Refsdal

Ivar Refsdal
  • Members
  • 5 posts

Posted 23 August 2016 - 07:53 AM

On the new site i have set the clients DNS to the ip addresses of the domain controllers on the primary site.



#4 Chad Hicks

Chad Hicks
  • Members
  • 48 posts

Posted 23 August 2016 - 08:03 AM

Hi.
I have set up a TINA tunnel between our primary site and a new site. Hardware is the NG 280F in both ends. Primary site is running our domain controllers. I can ping the ip-addresses between locations, but dns isn't working, so i can not get the computers at the new site to join the domain. I have been fiddling around with the dns settings for hours, but i can not get it to work. Can someone please help me with the details of how this should be set up.

 

You'll want to add the DNS Module to the "New Site" box for Split DNS.  This way only domain traffic will route over VPN tunnel, while regular internet traffic routes over the commodity ISP link.  If you're not familiar with DNS I recommend submitting a support case with Barracuda.



#5 Gavin Chappell

Gavin Chappell
  • Moderators
  • 412 posts
  • LocationNottingham, UK

Posted 23 August 2016 - 08:05 AM

On the new site i have set the clients DNS to the ip addresses of the domain controllers on the primary site.

 

Interesting, that should probably work - there's a little trick sometimes required if you were going Client -> NG -> Remote DC (i.e. using the NG as the DNS server for your clients, and expecting it to contact the primary DC over the VPN tunnel). The way you've done things it may not be ideal due to extra latency on the DNS requests, but it should be working OK.

 

If you check out the Firewall->History view on your NG, what rules are matched by DNS traffic?



#6 John K. Mes

John K. Mes
  • Members
  • 29 posts

Posted 23 August 2016 - 09:17 AM

Howdy!

 

THe split-DNS suggestion is a good one.

 

I would also suggest:

 - Make sure you have a "pass" rule for DNS outbound from the remote site to HQ.  For fun, place it before your VPN rule.  Look for UDP-53 traffic on both firewalls.  Sometimes the request comes in, but there isn't a reciprocating rule on the HQ firewall so the reply never goes back.

 

 - Do a traceroute to make sure the tunnel is working like you think it should.  THere should only be 1 hop between client & DNS server.  Ping doesn't tell the whole story.... :-)

 

Hope this helps,

~John



#7 Ivar Refsdal

Ivar Refsdal
  • Members
  • 5 posts

Posted 24 August 2016 - 01:39 AM

Thanks alot guys. I'll try these things out.

 

 

A little update here:
I got my original setup to work, but i had to disable the rule called "LOCALDNSCACHE".
All my clients at the new site now uses the dns servers at the primary site.
I see Chads and Gavins point, there will be alot if unnecessary dns traffic through vpn here, so i have also been looking at the split dns option. Haven't figured out how to set that up yet.
Any hints on that will be appreciated :)
 



#8 IT Director

IT Director
  • Members
  • 5 posts

Posted 12 September 2016 - 03:54 PM

Will you have a DC (or other server) at the remote site that can take a DNS role, or is the remote site serverless?



#9 Chad Hicks

Chad Hicks
  • Members
  • 48 posts

Posted 20 September 2016 - 01:56 PM

You'll want to add the DNS Module to the "New Site" box for Split DNS.  This way only domain traffic will route over VPN tunnel, while regular internet traffic routes over the commodity ISP link.  If you're not familiar with DNS I recommend submitting a support case with Barracuda.

This is definitely the way to go.  I have personally used this method, and works beautifully.



#10 Robert Czymoch

Robert Czymoch
  • Members
  • 59 posts

Posted 16 January 2017 - 04:58 PM

In a Site to Site VPN tunnel all you need to do is make sure you have a Firewall policy that allows DNS across the tunnel. After that its a routing issue. 

 

We have over 15 Tina tunnels between sites (site to site VPN) and we have never had to do anything with split DNS, which is only an issue for client to site VPN's. AD sites and services is setup correctly and so are the subnets.