Thanks for the link. I actually read through that document too but the problem is, I don't want to run a custom DNS service on the appliance itself. We'd have to manually manage the entries, which would be totally impractical in a domain environment, with hundreds of laptops that all use dynamic DNS updates. I just want the MX to forward the requests to our internal DNS servers.

Thanks and that was exactly my concern. In my mind, especially given Meraki devices are 100% cloud-managed, WAN interfaces should only ever be configured with external DNS addresses.

The biggest challenge with proxying DNS requests from the MX, where we must retain local resolution for the domain, is the following line in the guide:

• Proxy to upstream DNS
  Clients will send DNS requests to the LAN interface of the MX, which will then proxy those requests to the DNS server(s) configured for its primary Internet uplink.

Doing the above completely sidesteps any local resolution so the machine will effectively fall off the domain. If we were pure cloud and had no domain, this whole problem would go away.

To retain local DNS resolution for domain resources, configure your DHCP scopes to hand out your internal DNS servers directly to clients. This allows clients to resolve internal resources while still using public DNS for Internet-bound queries. 

Yes, we've always had DHCP hand out our internal DNS servers to clients and this works perfectly for normal use.

Our problem is that I cannot do DNS-based VPN tunnel exclusions on the MX devices, unless the client initially uses the MX to query DNS. Obviously, once our client has queried our internal DNS server, the actual internet traffic sails through the MX as IP addresses and ports, so it can't see the domain names or URLs. This means unless we put IP-based tunnel exclusions on the MX, which would be impossible to manage for our use case, all internet traffic hits the tunnel.

I suspect the fact that the MX can only do layer-4 inspection is why we have such a problem. Layer-7 would obviously mean the traffic's domain name / URL woudl be sniffed out and rules applied?

I suspect 

Also worth mentioning in case you are in this scenario.

If your client machines are running Cisco Secure Client with the Umbrella module, it is possible that your internal domains are configured within Umbrella as per Cisco Security

In this case, DNS queries for configured Internal Domains are sent locally, all other DNS queries are sent directly to the Umbrella resolvers - these queries will be encrypted by default and thus the local MX is not able to see within the packets. The solution we use here is to use the L3 outbound firewall rules on the local MX to block encrypted DNS from the clients to the Umbrella resolvers whilst also excluding the Umbrella resolvers from the VPN full tunnel. 
The client will fallback to sending unencrypted DNS queries to the Umbrella resolvers and the local MX will be able to observe the query and response for consideration of DNS-based VPN full-tunnel exclusion rules. 

@ShaunB93 This is an interesting setup too. We do indeed have internal domains excluded so while on our corporate network at all offices.

Sounds like because the Umbrella agent is enrypting any external queries, that's why they're not being captured and evaluated. And the only DNS queries hitting our internal DNS servers and purely for domain.local requests.

Next step is to try adding a DNS-based exclusion and then accessing the site from a device that has the Umbrella agent completely disabled. That way the DNS query will be unencrypted regardless of destination and my local resolver will be used for all queries. Which the MX should see.

@ShaunB93 Thanks for this abd apologies, had a decent break from work over Christmas and now catching up.

We do exclude internal domains (all .local) from Umbrella client queries so anything domain-based always hits the local DNS servers for resolution.

Your note about DNS queries for external domains is interesting and yes, those queries are obviously encrypted so the MX couldn't sniff out the DNS-to-IP mapping for DNS-based traffic exclusion.

So, for any offices where unencrypted DNS queries actually traverse the MX (which will be the case for all our satellite offices), to our local DNS server, any DNS-based exclusions should be evaluated and work?

I've just tested adding in a DNS-based exclusion to one website, checked that our local DNS (at another office) is resolving the query and then accessed the site but it doesn't work. When visiting the site, the connecting IP address still shows as our Secure Connect (static) WAN IP and not the local ISP (static) WAN IP on the MX.

Nice one - sounds good!

Also worth adding that if your machines have SWG agent enabled whilst on-net(in office) you also need to add the bypass to External Domains list in Umbrella otherwise, whilst the DNS query will go locally based on the local domain entry, the HTTP/S connection still still establish via the SWG via the agent

Good call. I'll add that as well. Funnily enough, we don't have the SWG agent enabled currently (future project when we start retiring client VPN) but it is enabled on mine as a test.

Thanks!

Gah. Even with SWG agent disabled I'm now seeing strange behaviour.

If I browse straight to the excluded site, the traffic goes via SecureConnect. No matter how many times I refresh, or how long I leave it, it's always egresses via SecureConnect.

If I then ping the site (or tracert, which also pings) I can see the traffic egressing the WAN interface and the website then updates and shows the WAN IP address.

It's almost as if some traffic, other than HTTP/HTTPS, needs to pass through before the exclusion kicks in.

If I then flush my DNS cache, the traffic reverts back to egressing the SecureConnect IP, until I ping the site. Then it's back to the local WAN IP.