Meraki

Community

Central Corporate DNS (via Auto VPN Site to Site Tunnels) + Public DNS Backup?

NeilB83
Conversationalist
‎Sep 23 2024 5:44 AM
‎Sep 23 2024 5:44 AM

Central Corporate DNS (via Auto VPN Site to Site Tunnels) + Public DNS Backup?

Hi,

 

I'm wondering if this is even possible... We use a Hub and spoke auto VPN Meraki configuration where the central hub(s) host all manner of services but also the central DNS servers for client/spoke Meraki sites as Azure VMs/DCs. All the corporate VLANs on the spoke sites are configured to use these name servers (2 x in main hub and 2 x for the DR hub - both Azure hosted).

 

In normal operation we want the corporate DNS to be used for these users (other VLANs for guest users and guest wi-fi have the Public/DNS option selected) but corporate users need to use the internal DNS as it has private DNS mappings for internal only services (and uses DNS forwarding/Azure DNS after that to onward resolve public Internet IPs it doesn't know about itself). This gives the corporate users full DNS resolution for internal/private URLs as well as the public Internet.

 

During the recent outage issues with Auto VPN (a Meraki central issue last week) this took down our primary SD-WAN tunnel to the master Hub but failover/DR did not kick in for the backup as it was an external Meraki mapping issue... This meant corporate users could not connect to internal resources (via the Auto VPN) which is understandable but they were equally then prevented from being able to access anything like cloud/local breakout services including Office 365/Teams etc. as they could not resolve hostnames via central DNS and the custom name servers (as the tunnel was down). This meant a manual comms out to those who happened to be on the Guest-Wi-Fi already to say to corporate users to switch across to that in the meantime until it was fixed (not very elegant).

 

Is there a way of configuring DNS in Meraki to prevent against this scenario and have public DNS as a backup in the custom name servers for the corporate VLANs at the branch sites? I know they won't be able to resolve or connect to central private hostnames if ever this scenario happens again but I think just adding the extra public DNS IPs to the end of the list of Custom Name Servers is a no go for normal BAU operation (as Google DNS may answer first and fail to resolve internal hostnames for users). I read somewhere this can give the classic unpredictable service where its invisible to the user why DNS lookups are failing sometimes and working other times.

 

Thanks.

Labels:
0 Kudos
1 Reply 1
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 23 2024 1:34 PM
‎Sep 23 2024 1:34 PM

>Is there a way of configuring DNS in Meraki to prevent against this scenario and have public DNS as a backup in the custom name servers for the corporate VLANs at the branch sites?

 

Not really.  It isn't really a Meraki issue.  You want Windows to use your primary DNS servers, and in the event they are not reachable, to use an alternative DNS configuration.  I don't know how to configure Windows to do this.

 

The closest solution would be to jump on your DHCP server(s) when this happens and temporarily change the DNS servers that everyone is using, and then ask them to reboot.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.