Meraki

Community

Making a MX device use internal DNS.

Solved
mrpackethead_
Here to help
‎Feb 23 2025 8:21 PM
‎Feb 23 2025 8:21 PM

Making a MX device use internal DNS.

Hi, Is it possible to make a MX device use internal DNS servers that are reachable over the Site to Site VPN?  I easily make devices, ( AP's, Switches ) do this,  as they get DNS via DHCP.   

Am i missing something very simple here/

 

0 Kudos
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 24 2025 12:16 PM
‎Feb 24 2025 12:16 PM

Others have given good answers.  I'll add this link to how the DNS is used by the MX for WAN link monitoring.

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Connection_Monitoring_for_WAN_Failo...

 

View solution in original post

0 Kudos
6 Replies 6
ww
Kind of a big deal
Kind of a big deal
‎Feb 24 2025 1:30 AM
‎Feb 24 2025 1:30 AM

It needs public dns on the uplink for management because it need to reach the cloud /dashboard to come online and before the tunnels are build.

 

You can use any dns you like on the vlans

sinelnyyk
Meraki Employee
Meraki Employee
‎Feb 24 2025 4:31 AM
‎Feb 24 2025 4:31 AM

Hi @mrpackethead_,
Unfortunately, it's not possible to configure the MX WAN interface to use DNS server which is reachable over the Site to Site VPN from the MX. This is because the MX WAN interface doesn't participate in VPN, and all traffic from the MX management interface will be sent directly to WAN link, so you need to make sure that the server is reachable from WAN interface. It doesn't necessarily mean that it should be a public IP though. If your MX is behind NAT and using an IP in a private range, you can use the DNS server that will be in the private subnet as well. 

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
In response to sinelnyyk
mrpackethead_
Here to help
‎Feb 24 2025 11:09 PM
‎Feb 24 2025 11:09 PM

.

0 Kudos
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Feb 24 2025 7:13 AM
‎Feb 24 2025 7:13 AM

This would defeat the purpose of your uplink monitoring.  Your MX needs to be able to reach external DNS servers to test DNS query/responses so it can report the WAN uplink is up or down.

 

Why would you actually want the MX to use an internal DNS anyway?  The sites it tests for are quasi hardcoded anyway.

In response to GIdenJoe
mrpackethead_
Here to help
‎Feb 24 2025 11:05 PM
‎Feb 24 2025 11:05 PM

The 'why' is because of a bit of annoying technical debt.  I have 802.1x auth Occuring, and they need to be be able to resolve the radius servers names.      Unfortantly for a "bunch of reasons" there is some split dns, where the public dns wont' resolve to the correct address's. ( this is because the public dns is being used for some managment of the radius servers, turns out thats a bad idea, but thats how it is)

"The MX and Z-series devices use the Appliance LAN IP of the highest-numbered VLAN that is included in the VPN as the source address to reach the RADIUS server located on the other side of the VPN tunnel. ".

This suggests that even though this is coming from the 'managment' it will go over the VPN.    But the DNS request for the radius servers is going to go out the wan.. 

I think i'm going to have to fix that split horizon dns.







MX and Z-series Source IP for RADIUS Authentication - Cisco Meraki Documentation






0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 24 2025 12:16 PM
‎Feb 24 2025 12:16 PM

Others have given good answers.  I'll add this link to how the DNS is used by the MX for WAN link monitoring.

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Connection_Monitoring_for_WAN_Failo...

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.