cancel
Showing results for 
Search instead for 
Did you mean: 

Meraki DHCP DNS caching

Highlighted
New here

Meraki DHCP DNS caching

The guest/Meraki DHCP SSID (10.0.0.0/8) is caching internal DNS entries. Laptops inside the LAN that are using the guest SSID that has the setting "clients being blocked from using LAN" are still trying to resolve DNS internal IP addresses.

 

I want these websites that do have internal DNS records to actually resolve externally to DNS on public addresses. I have tried ipconfig /flushdns, and have tried assigning content filtering to external DNS. I have also created a new SSID with the deny any Local LAN traffic turned on before it has the chance to cache internal DNS records.

 

Currently the only way I have found to fix the webpages that are trying to resolve internally is allow the internal DNS names and ports into the Layer 3 firewall rules on SSID settings. This is a tedious task for each webpage/DNS entry to put both 80/443. The other problem is larger external webpages like portal.office.com that resolve to Single sign on need alot of ports allowed through at the Layer 3 firewall rules. Is there an easier way to do this, and am I using the best method for not allowing guest network. Thanks in advance for the input.

 

Mike Anderson

8 REPLIES 8
Kind of a big deal

Re: Meraki DHCP DNS caching

I'm not seeing how the client on the guest can obtain anything internal if your blocking it. If you have DENY LOCAL LAN enabled, then they should not be getting anything internal at all.

What DNS is your AP pulling?

Do the laptops have any custom host files in place?
Nolan Herring | nolanwifi.com
TwitterLinkedIn
Kind of a big deal

Re: Meraki DHCP DNS caching

Hey @MXanderson ,

 

From the sounds of things you've outgrown the Meraki DHCP SSID use cases and you should consider transitioning to a Guest SSID that bridges into a Guest VLAN. If you're "big" enough, and savvy enough to be running your own internal DNS servers then I think you would benefit greatly from shifting your guest wifi solution to one more scalable and flexible. 

 

 

 

 

Kind of a big deal

Re: Meraki DHCP DNS caching

Change the DNS settings on your APs to using external public DNS servers instead of your internal DNS servers.

New here

Re: Meraki DHCP DNS caching

The DNS server is the default 10.128.128.128 from client perspective, but the website which is inside lan has private IP address. It should be resolving to the public IP externally but it's trying to resolve internal. There is not custom host file. 

Kind of a big deal

Re: Meraki DHCP DNS caching

>The DNS server is the default 10.128.128.128 from client perspective

 

That is what clients get - no need to change that.  That request goes to the AP.

 

Change the DNS servers being used by the AP to external DNS servers and the users DNS queries will also go externally (via AP DNS proxy).

Kind of a big deal

Re: Meraki DHCP DNS caching

I agree with you @PhilipDAth  , although I'm curious now that I'm thinking about it. Having never used the feature, but original poster mentioned that he :

 

and have tried assigning content filtering to external DNS

 

Would that achieve the same thing as having the DNS that the access points use?


Always thought it would but never validated it.

Nolan Herring | nolanwifi.com
TwitterLinkedIn
New here

Re: Meraki DHCP DNS caching

I changed the DNS to google servers for resolution on the AP lan interface. That did make the it so nslookup would see the external IP address for the sites I was trying. When I used web browser it would not resolve the websites though. 

Kind of a big deal

Re: Meraki DHCP DNS caching

Try incognito mode
Also do a traceroute to the site your trying to reach (try internal and external to see where each path goes). Its possible because its also available via a private IP that there is something down the path routing wise that is forcing traffic destined for that site to go a specific way.
Nolan Herring | nolanwifi.com
TwitterLinkedIn
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Points Contest
Join us for a month-long contest with heaps of swag to win!

Learn More ›