I'm facing a frustrating issue with DNS resolution while using SSL VPN on our SophosXGS firewall. When clients connect via VPN, they can only resolve names through LLMNR, while direct DNS queries fail to reach the DNS server located in a routed network. Strangely enough, using NSlookup works perfectly fine. It seems like I'm able to ping CNAME entries, but regular host pings are failing. I've tried flushing DNS and confirmed that the DNS suffix is set correctly in ipconfig. The peculiar part is that manually adding the DNS server to the host file resolves the issue after a while. Any ideas on what's going wrong?
3 Answers
You bring up a good point. If nslookup is working while regular DNS queries aren't, it usually means your VPN client isn’t using the specified DNS server properly. You should check the IP configuration with 'ipconfig /all' while connected to the VPN and see what DNS server is assigned. Testing ping and nslookup directly against the domain controller's IP might also help. It's possible that the queries from your VPN pool aren't reaching the DC due to firewall or routing issues.
Yeah, DNS issues with split tunnel VPNs can be a real headache. It's often due to how the VPN distributes DNS settings to clients or the firewall limiting certain traffic. If nslookup is working but not regular pings, your resolver configuration on the client might be falling back to local DNS, which causes problems. Make sure the firewall rules allow DNS traffic for VPN clients. If you're finding this tedious, consider looking into platforms like Cato Networks or Palo Alto Prisma Access; they can help manage DNS and VPN together to avoid these cross-network issues.
Have you checked the DNS server settings in the SSL VPN global settings on your firewall? Sometimes, if those are misconfigured, it can lead to the issues you described. Also, look into the .ovpn file for the clients to see how the DNS settings are being applied. If there was an error before, just make sure your clients are pulling the correct configs after any updates. Good luck!
We do have two Active Directory Servers set as DNS in the global settings, and I thought those were the right ones to use. We also specify the domain suffix there.
I believe those settings are correct too, as they work for other subnets. Both DNS servers are within the routed subnets of the VPN.
I tried capturing packets with Wireshark today; I saw the DNS request from the client and the response, but the client is rejecting the connection with a 'Port unreachable' error.