Meraki

Community

DNS Result after connect Secure Client

simpson
Here to help
‎Jan 20 2025 2:16 AM
‎Jan 20 2025 2:16 AM

DNS Result after connect Secure Client

Hi,

 

I have some problems about DNS result name, during I'm work at office with AD DNA-A they can result name correctly with private ip e.g. 192.168.1.100 at office.

Once I connect from outside via Secure Client, I also get IP and DNS-A  <-- same DNS that using inside office. But during resolved same name, They return Public IP that register at DNS server e.g. 203.155.111.20 

I would like to get resolved this name to same name at office provide 192.168.1.100   <-- do you have any idea how to check ?

 

Note : I'm not really good for DNS and Meraki firewall. Please kindly advise.

Labels:
0 Kudos
7 Replies 7
alemabrahao
Kind of a big deal
‎Jan 20 2025 7:47 AM
‎Jan 20 2025 7:47 AM

Since you have the service published on the internet and the clients are accessing it via the DNS that is configured on their internet router.

The only way I can see is if you "force" the machine to use its internal DNS instead of the DNS that is configured on their router, or if you do not publish the service via the internet if that is a possibility.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
simpson
Here to help
‎Jan 20 2025 6:09 PM
‎Jan 20 2025 6:09 PM

Hi Alemabrahao,

 

After connect Cisco Secure Client, I try to check by nslookup that get DNS from Cisco Secure Client, I'm surprise that they return the IP to public ip address.

Not very sure how the same DNS that use inside office they return public ip instate of internal ip.


0 Kudos
In response to simpson
alemabrahao
Kind of a big deal
‎Jan 21 2025 6:40 AM
‎Jan 21 2025 6:40 AM

You can try it configuring the split tunnel.

 

https://documentation.meraki.com/MX/Client_VPN/Configuring_Split_Tunnel_Client_VPN

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 20 2025 11:55 AM
‎Jan 20 2025 11:55 AM

Have you configured the MX to give out the internal DNS server IP address to Secure Client users?

In response to PhilipDAth
simpson
Here to help
‎Jan 20 2025 6:06 PM
‎Jan 20 2025 6:06 PM

Hi PhilipDAth,

 

our Secure Client will be get private ip and get DNS that from internal server <-- in side office.

As I'm check with my connection during connect Secure Client. I have 2 network as below.
1. Cisco AnyConnect Virtual Miniport Adapter for Windows x64, IP 172.1.1.100, DNS server = DNS-A, e.g. 192.168.1.20

2. Intel(R) Wi-Fi 6 AX201 160MHz, IP 172.20.10.2, DNS 172.20.10.1

During connect Cisco Secure Client, I try to using nslookup and result name, all result from this 2 DNS point to Public IP address 203.155.111.20 

I would like to get result name point to internal ip 192.168.1.100  

 

0 Kudos
In response to PhilipDAth
simpson
Here to help
‎Jan 21 2025 6:16 PM
‎Jan 21 2025 6:16 PM

Yes, in Meraki/Client VPN/AnyConnect/ setting already define DNS nameservers point to our IP inside office.
I confirm during connect vpn, I get IP inside office same as working at office. But resolved that i get is difference.

 

I also try to do nslookup -debug server1.office.com  the log is difference that i'm run this command inside office.

0 Kudos
tmichel
Conversationalist
‎Jan 21 2025 3:26 AM
‎Jan 21 2025 3:26 AM

Are you connection to a MX device or using Secure Connect? In Secure Connect, there's a feature called Split DNS which enables the client to use internal DNS servers for internal domains only and external DNS servers for any other domains, see here:

Cisco Secure Connect - DNS Troubleshooting - Cisco Meraki Documentation

When using split DNS, make sure all internal domains are included in the list.

0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.