2

We have a new site in tampa (we're based in buffalo NY) and everything works well except for the DNS name resolution. Everything goes over the IPSEC VPN back to our site for services like AD and DNS.

I had a look at the dns config, and I believe this to be the problem. There really isnt a wan zone configured, everything goes out the vpn zone. but yet, the dns is configured for WAN (I didn't set this up btw).

DNS Config So obviously if the wan zone isnt used, we can't use it for dns. Those IPs are for the ISPs dns servers, but they can't be pinged from the sonicwall, so it's obviously part of the issue.

My first thought is to reconfigure using the top radio button to specify dns servers manually, but I really don't want to mess anything up here, and fear that maybe there's just a rule missing instead. This config was basically copied from our other site in FL, but obviously something needs to be reconfigured.

This sonicwall is in an office building where our edge leads to other building network topology, so that might add to the complication. This is the reason all traffic comes over our vpn.

I mostly am looking for some guidance so I don't break it and make the site inaccessible. Thank you ahead of time.

EDIT- here is the DHCP configuration. Interface x0 is the local LAN network. w0:V5 is the vpn connection back to our office in NY. The hosts on the network (BonitaDell) can browse the internet, but cannot be accessed from out Buffalo Office by hostname, only by IP. In the second screenshot, the IPs configured there are correct for our DNS servers in NY- those are the correct DNS servers clients on the FL LAN should be using. Any ideas?

DHCP_SETTINGS

DHCP_CLIENT_SETTINGS

boog
  • 220
  • 3
  • 11
  • Please let me know if there's anything else that would be helpful for you all to see. – boog Jun 04 '20 at 18:33

2 Answers2

1

The settings you show us is the DNS settings of the sonicwall itself, for it's use, not for the DHCP setting the Sonicwall publish to your LAN computer.

It use it when in example an IP scan you, you can see the reverse DNS on the entry, and for the Service section of the Sonicwall, like Gateway antivirus and such where the Sonicwall get signature upstream from Sonicwall servers.

The idea there is that the Sonicwall can have like 10 subnet behind him, and each zone DHCP can handle the DNS's query on their wanted server you define, but your sonic itself need a DNS for reporting.

The settings you don't show us is your DHCP Server section, in that section you can tell if the client computer get those DNS, or get other DNS that you set for the correct server. It's where I think you have a error.

See there for an example:

DHCP Server setting : enter image description here

If you click the edit button, you see the DNS's settings you give to your computers there; enter image description here

Make sure into that screen that you define it manually to what you need. As you can see you can define any set of DNS server to any zone you have, and make sure you set the domain name too inside that windows. It will set the FQDN correctly for your computer

yagmoth555
  • 16,758
  • 4
  • 29
  • 50
  • Fellow MTG player?, thank you for that insight. Please refer back to my original post towards the bottom where I added an EDIT with the information you requested. – boog Jun 04 '20 at 19:00
  • @boog hehe, you are one of the first that remarked my nickname :) Yes it was based off that cards at first, https://img.scryfall.com/cards/large/front/0/4/04bbd231-0d5f-4cbf-92a7-10d2c5c4b82c.jpg?1562895987. Used to start playing when it was still the fourth edition from memory. Thanks for the edit btw – yagmoth555 Jun 04 '20 at 19:07
  • @boog As I see it, your local LAN is used for the BonitaDell, and you have a site-to-site VPN ? As such your VPN DHCP scoop there IMO is not used. If 192.168.1.254 is in Buffalo, make sure your firewall got a LAN -> VPN rule that allow the DNS port, so your computers would register themself into the DNS in NY – yagmoth555 Jun 04 '20 at 19:38
  • Thanks so much for that insight, I will make sure that rule exists. – boog Jun 05 '20 at 12:45
  • Antiquities! now that's an old school set, btw – boog Jun 05 '20 at 12:45
0

The solution was:

Add a rule From LAN to VPN to allow all. Change DNS settings to manually utilize our internal dns servers (rather than automatically from WAN).

boog
  • 220
  • 3
  • 11