Mac DNS over VPN not working - other DNS over VPN works fine
Summary:
I have a new Mac Server running 10.6.2 set up with VPN and DNS services. Connecting to the VPN from an external network works fine, however:
I cannot:
o DNS query the Mac Server over the VPN
I can:
o ping the Mac Server over the VPN
o SSH into the Mac Server over the VPN
o DNS query the Mac Server from a local LAN client
o DNS query a different FreeBSD server on the same LAN as the Mac Server, over the VPN
--
Details:
Server:
Mac Pro w/ Mac OS X Server 10.6.2
VPN enabled, DNS enabled, firewall disabled
IP address: 192.168.100.64
Test client:
Mac OS X 10.6.2 on a different ISP
VPN IP address: 192.168.100.251
DNS Server automatically configured to 192.168.100.64
The client can login to the server over VPN successfully.
The client's LAN is in the 10.0.1.* range so there is no overlap with the VPN range.
ping 192.168.100.64 - OK
SSH 192.168.100.64 - OK
DNS query via 192.168.100.64 - times out every time.
I have tested DNS queries using a variety of methods - 'host', 'dig', Safari, etc. Same results for all.
Okay, but I have a FreeBSD server on the same network as the Mac Server. The FreeBSD server is running PowerDNS.
IP address: 192.168.100.60
Still connected through the Mac VPN (192.168.100.64). Let's try manually changing the client's DNS server setting to 192.168.100.60.
ping 192.168.100.60 - OK
SSH 192.168.100.60 - OK
DNS query via 192.168.100.60 - OK
Indeed, I can configure the Mac's VPN server to specify 192.168.100.60 as the DNS server and I have a completely working VPN.
However, this is no good because I am trying to migrate away from the FreeBSD server. The Mac server was supposed to be able to replace it for DNS.
I set the Mac DNS server log level to 'debug', and I can clearly see the DNS queries from the VPN clients hitting the server. It's just not getting back to them somehow. Yet the issue must not be with the DNS protocol itself, because querying the FreeBSD server works fine. Unless perhaps it is a difference in the way BIND and PowerDNS respond.
I have forwarded these ports on the server-side router:
500/udp
1701/udp
1723/tcp
4500/udp
The router is a FortiNet FortiGate 60. After some time on the phone with our complimentary 90 days AppleCare, their only suggestion was to try replacing the router. Not only does this seem unlikely, I am reluctant to take down so many business-critical services in order to do it.
Any ideas would be much appreciated.
I have a new Mac Server running 10.6.2 set up with VPN and DNS services. Connecting to the VPN from an external network works fine, however:
I cannot:
o DNS query the Mac Server over the VPN
I can:
o ping the Mac Server over the VPN
o SSH into the Mac Server over the VPN
o DNS query the Mac Server from a local LAN client
o DNS query a different FreeBSD server on the same LAN as the Mac Server, over the VPN
--
Details:
Server:
Mac Pro w/ Mac OS X Server 10.6.2
VPN enabled, DNS enabled, firewall disabled
IP address: 192.168.100.64
Test client:
Mac OS X 10.6.2 on a different ISP
VPN IP address: 192.168.100.251
DNS Server automatically configured to 192.168.100.64
The client can login to the server over VPN successfully.
The client's LAN is in the 10.0.1.* range so there is no overlap with the VPN range.
ping 192.168.100.64 - OK
SSH 192.168.100.64 - OK
DNS query via 192.168.100.64 - times out every time.
I have tested DNS queries using a variety of methods - 'host', 'dig', Safari, etc. Same results for all.
Okay, but I have a FreeBSD server on the same network as the Mac Server. The FreeBSD server is running PowerDNS.
IP address: 192.168.100.60
Still connected through the Mac VPN (192.168.100.64). Let's try manually changing the client's DNS server setting to 192.168.100.60.
ping 192.168.100.60 - OK
SSH 192.168.100.60 - OK
DNS query via 192.168.100.60 - OK
Indeed, I can configure the Mac's VPN server to specify 192.168.100.60 as the DNS server and I have a completely working VPN.
However, this is no good because I am trying to migrate away from the FreeBSD server. The Mac server was supposed to be able to replace it for DNS.
I set the Mac DNS server log level to 'debug', and I can clearly see the DNS queries from the VPN clients hitting the server. It's just not getting back to them somehow. Yet the issue must not be with the DNS protocol itself, because querying the FreeBSD server works fine. Unless perhaps it is a difference in the way BIND and PowerDNS respond.
I have forwarded these ports on the server-side router:
500/udp
1701/udp
1723/tcp
4500/udp
The router is a FortiNet FortiGate 60. After some time on the phone with our complimentary 90 days AppleCare, their only suggestion was to try replacing the router. Not only does this seem unlikely, I am reluctant to take down so many business-critical services in order to do it.
Any ideas would be much appreciated.
Mac mini, Mac OS X (10.6.2)