Meraki

simpson

Hi,

I have some problems about DNS result name, during I'm work at office with AD DNA-A they can result name correctly with private ip e.g. 192.168.1.100 at office.

Once I connect from outside via Secure Client, I also get IP and DNS-A <-- same DNS that using inside office. But during resolved same name, They return Public IP that register at DNS server e.g. 203.155.111.20

I would like to get resolved this name to same name at office provide 192.168.1.100 <-- do you have any idea how to check ?

Note : I'm not really good for DNS and Meraki firewall. Please kindly advise.

alemabrahao

Since you have the service published on the internet and the clients are accessing it via the DNS that is configured on their internet router.

The only way I can see is if you "force" the machine to use its internal DNS instead of the DNS that is configured on their router, or if you do not publish the service via the internet if that is a possibility.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

simpson

Hi Alemabrahao,

After connect Cisco Secure Client, I try to check by nslookup that get DNS from Cisco Secure Client, I'm surprise that they return the IP to public ip address.

Not very sure how the same DNS that use inside office they return public ip instate of internal ip.

alemabrahao

You can try it configuring the split tunnel.

https://documentation.meraki.com/MX/Client_VPN/Configuring_Split_Tunnel_Client_VPN

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

PhilipDAth

Have you configured the MX to give out the internal DNS server IP address to Secure Client users?

simpson

Hi PhilipDAth,

our Secure Client will be get private ip and get DNS that from internal server <-- in side office.

As I'm check with my connection during connect Secure Client. I have 2 network as below.
1. Cisco AnyConnect Virtual Miniport Adapter for Windows x64, IP 172.1.1.100, DNS server = DNS-A, e.g. 192.168.1.20

2. Intel(R) Wi-Fi 6 AX201 160MHz, IP 172.20.10.2, DNS 172.20.10.1

During connect Cisco Secure Client, I try to using nslookup and result name, all result from this 2 DNS point to Public IP address 203.155.111.20

I would like to get result name point to internal ip 192.168.1.100

simpson

Yes, in Meraki/Client VPN/AnyConnect/ setting already define DNS nameservers point to our IP inside office.
I confirm during connect vpn, I get IP inside office same as working at office. But resolved that i get is difference.

I also try to do nslookup -debug server1.office.com the log is difference that i'm run this command inside office.

tmichel

Are you connection to a MX device or using Secure Connect? In Secure Connect, there's a feature called Split DNS which enables the client to use internal DNS servers for internal domains only and external DNS servers for any other domains, see here:

Cisco Secure Connect - DNS Troubleshooting - Cisco Meraki Documentation

When using split DNS, make sure all internal domains are included in the list.

Meraki

Community

DNS Result after connect Secure Client

DNS Result after connect Secure Client