Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: James Knight3
James Knight3 Author
User level: Level 1
20 points

VPN DNS problem

We have two businesses. Each runs a small network with DNS and various services (mail, MySQL, file storage etc), some of which are available externally via a public IP address (eg mail services) and some are only available on the LAN or via VPN.


We use FQDN throughout the businesses, so when we are on the LAN, mail.company1.com will resolve to the local IP address, and when in the outside world mail.company1.com will resolve to the public IP address of the network.


filestore.company1.com also resolves to the same public IP address, and the router takes care of which server to send the request to. Some services like database.company1.com are only accessible on the LAN, for security reasons, but can be accessed via VPN.


So, I'm physically located at company 2, where filestore.company2.com resolves to the LAN IP address of filestore, and I also want to connect to a database in company 1.


I connect to company 1's VPN, so now I'm using company 1's DNS, and database.company1.com resolves correctly to the LAN IP address of the database server, so I can talk to it.


But. The VPN is set to highest priority in the network interface config, so when I now try to resolve filestore.company2.com, it's the DNS server at company 1 which gets asked, and it returns the public IP address of that FQDN rather than the local IP address. This means that the communication goes out to the world and comes back, rather than staying inside the network. This is effectively an incoming connection which, due to firewall configurations, might not work at all - meaning that as soon as we connect to the VPN, local services stop working.


If I change the network priority, so that ethernet is above VPN, I have the opposite problem. Now, local services at company 2 work fine, but if I try to connect to database.company1.com, the local DNS server returns the public IP address of company1, so instead of going through the VPN the connection goes out to the internet, and then gets blocked on the way back into company 1's network.


So what I need to figure out is a way of telling the client computer at company 2 that, when the VPN is connected, it should use company 1's DNS for lookups for company1.com, but use its default DNS for all other lookups.


I'm running various Mac Minis and MacBooks, on 10.12 and 10.13. DNS, DHCP and VPN services run on Mac Server 10.12 at one business and a Synology NAS at the other.


I hope this makes sense and that someone can help.


Thanks!

Mac mini, OS X Server, null

Posted on Oct 12, 2018 4:04 PM

Reply

Similar questions

4 replies
User profile for user: MrHoffman
MrHoffman
Community+ 2024
User level: Level 10
116,463 points

Oct 14, 2018 10:59 AM in response to James Knight3

If you want to use private DNS and with this client-to-network and network-to-network VPN connections, you’re going to want to replicate the private DNS translations of both sites to both sites. Or maybe move these shared services to public IPv4 or IPv6 addresses. Or more completely merge the teo networks, such as running one mail server with multiple virtual hosts configured.

Reply
User profile for user: James Knight3
James Knight3 Author
User level: Level 1
20 points

Oct 15, 2018 2:48 PM in response to MrHoffman

Thanks for your suggestions.


Merging the two networks isn't really an option - these are two separate businesses and it's not just a question of mail services. They have their own databases and file stores and various other services which run locally but are occasionally accessed remotely - either from the other business or from the outside world.


The challenge is to ensure that, when the VPN is connected, all traffic to the remote location goes via the VPN, whilst also ensuring that all local traffic stays local.


I will keep playing with it.


Thanks again

Reply
User profile for user: MrHoffman
MrHoffman
Community+ 2024
User level: Level 10
116,463 points

Oct 15, 2018 5:35 PM in response to James Knight3

The businesses are already fundamentally linked if not merged, with that site-to-site link. Either that gets coordinated, or routing wiht that link will continue to cause “fun”. Mirroring internal DNS—setting up mutual secondaries for the other organizations’ private DNS translations—is a compararively minor setup, though.

Reply

VPN DNS problem

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up