Meraki

Community

Split DNS

USMC92
Getting noticed
‎Jan 31 2019 12:15 PM
‎Jan 31 2019 12:15 PM

Split DNS

Hola Meraki Community!

 

I'm upgrading a remote site from a Barracuda firewall to an MX64.  Now, this site currently has a "DNS Service" install on the Barracuda to split DNS.  This remote site has it's PCs domain joined (hence the current setup).  On the MX how am I able to do this (if necessary) to have normal internet requests go through ISP DNS, and only AD requests through the VPN tunnel?

0 Kudos
10 Replies 10
jdsilva
Kind of a big deal
‎Jan 31 2019 12:34 PM
‎Jan 31 2019 12:34 PM

You can't do this on Meraki.

http://blog.brokennetwork.ca | @jdsilva
In response to jdsilva
USMC92
Getting noticed
‎Feb 1 2019 6:16 AM
‎Feb 1 2019 6:16 AM

What would be "best practice" then so users can authenticate?  I typically setup IPsec tunnels, but don't want ALL their traffic flowing through the VPN.

0 Kudos
In response to USMC92
NolanHerring
Kind of a big deal
‎Feb 1 2019 6:48 AM
‎Feb 1 2019 6:48 AM

You just need to do split-tunneling then on the MX
 
Internet traffic goes out local, and traffic destined for 'internal' will go over the VPN.
 
DNS that you provide that subnet with should be internal DNS only if you want to ensure internal sites resolve.
 
See example below
 
 
 
5555.jpg
Nolan Herring | nolanwifi.com
TwitterLinkedIn
0 Kudos
In response to NolanHerring
USMC92
Getting noticed
‎Feb 1 2019 6:54 AM
‎Feb 1 2019 6:54 AM

Thanks for the image.  My only issue here is our corporate firewall is not Meraki, it's Barracuda.  So when I select Spoke, I have no option of manually creating the hub.  Under Organization-Wide Settings I do have the Non Meraki Peer created.

0 Kudos
In response to USMC92
NolanHerring
Kind of a big deal
‎Feb 1 2019 7:39 AM
‎Feb 1 2019 7:39 AM

Here are some links that might help with what your trying to achieve. I've personally no experience with non-meraki VPN peers:

http://www.willette.works/merging-meraki-vpns/

https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Site-to-site_VPN_between_MX_Applian...

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Settings

https://community.meraki.com/t5/Security-SD-WAN/s2s-vpn-between-Meraki-and-Non-Meraki/td-p/2487

Nolan Herring | nolanwifi.com
TwitterLinkedIn
0 Kudos
In response to jdsilva
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 1 2019 4:50 PM
‎Feb 1 2019 4:50 PM

@jdsilva is correct.  You should direct all your DNS requests to the AD servers.  The actual web browsing and the like will still go out the local circuit.

In response to PhilipDAth
USMC92
Getting noticed
‎Feb 4 2019 6:50 AM
‎Feb 4 2019 6:50 AM

So for the subnet that requires this, manually set the DNS to our AD Servers under the DHCP settings of that subnet, correct?

0 Kudos
In response to USMC92
NolanHerring
Kind of a big deal
‎Feb 4 2019 6:51 AM
‎Feb 4 2019 6:51 AM

Correct. If your MX is handling DHCP/DNS, then make sure you have your AD/internal servers placed there because it will go over the VPN and allow internal sites to resolve.

If you put one internal and one public, your going to have issues so don't do that
Nolan Herring | nolanwifi.com
TwitterLinkedIn
In response to NolanHerring
USMC92
Getting noticed
‎Feb 5 2019 1:01 PM
‎Feb 5 2019 1:01 PM

Thanks for all the help everyone!

0 Kudos
In response to USMC92
dutchaviator
Conversationalist
‎Jun 11 2019 10:16 AM
‎Jun 11 2019 10:16 AM

It's while back since last response here but this issue as well.

 

We have a hub in Amsterdam with internet breakout plus internal DNS servers which have forwarders to resolve public DNS.

Now we have a site in Santa Cruz, when they want to use internal server(customer.local) they use our configured internal server in Amsterdam. Same goes for public server.

now this client in Santa Cruz goes over to google hangout, then it gets IP adresses back from NL hosted google servers. The client is then having hangout with NL servers (including the latency penalty).

This is where I need to have split DNS: resolve for .local domain's on my own servers, and the rest using the local internet breakout.

Still not supported?

0 Kudos
li.common.scroll-to.top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.