Internet Breakout using DNS entries

Rafaelcabrera
New here

Internet Breakout using DNS entries

We have a number of URLs included on internet breakouts in our MX devices. 

 

The ones which are mostly ASW hosted services, the DNS URLs generally resolve to a CNAME and then to an IP address. 

 

The IP addresses also appears to change dynamically from time to time. 

 

Apparetnly the MX is not able to refresh its DNS cache in order to breakout the new IP for that particular domain, therefore the traffic is sent throught the VPN.

 

We have seen multiple instances where a URL domain is included in the breakout, but it is going through the SDWAN. We want this domains excluded from the VPN. 

 

Does anyone have similar issue? Was there any resolution? 

2 Replies 2
Kevin_R
Meraki Employee
Meraki Employee

Hello Rafaelcabera,

 

The way the DNS VPN exclusion rules operate is that the MX must see an unencrypted DNS response (using UDP port 53) back to a client device. The response does not necessarily need to be a particular client, seeing a DNS response to any client is fine. The MX will then add this IP/hostname mapping to its cache for as long as the TTL specified in the DNS response is. Once that expires the MX would need to see a new DNS response for the hostname, which if the IP changes, the MX should record that new IP and breakout the traffic appropriately. We have this information and caveats documented here: https://documentation.meraki.com/MX/Site-to-site_VPN/VPN_Full-Tunnel_Exclusion_(Application_and_IP%2...

 

This being said, Meraki support can check logging on the MX to make sure that mapping are correct along with looking into packet captures to see what the returned TTL in DNS query responses are. If you have not done so already, I would encourage you to open a support case so that support can look into logging and packet captures while the issue is happening with you.

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
PhilipDAth
Kind of a big deal
Kind of a big deal

Try blocking these two in content filtering (especially DoH and DoT).  This should allow the MX to see DNS and will probably resolve the problem.

 

PhilipDAth_0-1726868403708.png

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels