Meraki DHCP DNS caching

MXanderson
Here to help

Meraki DHCP DNS caching

The guest/Meraki DHCP SSID (10.0.0.0/8) is caching internal DNS entries. Laptops inside the LAN that are using the guest SSID that has the setting "clients being blocked from using LAN" are still trying to resolve DNS internal IP addresses.

 

I want these websites that do have internal DNS records to actually resolve externally to DNS on public addresses. I have tried ipconfig /flushdns, and have tried assigning content filtering to external DNS. I have also created a new SSID with the deny any Local LAN traffic turned on before it has the chance to cache internal DNS records.

 

Currently the only way I have found to fix the webpages that are trying to resolve internally is allow the internal DNS names and ports into the Layer 3 firewall rules on SSID settings. This is a tedious task for each webpage/DNS entry to put both 80/443. The other problem is larger external webpages like portal.office.com that resolve to Single sign on need alot of ports allowed through at the Layer 3 firewall rules. Is there an easier way to do this, and am I using the best method for not allowing guest network. Thanks in advance for the input.

 

Mike Anderson

8 REPLIES 8
NolanHerring
Kind of a big deal

I'm not seeing how the client on the guest can obtain anything internal if your blocking it. If you have DENY LOCAL LAN enabled, then they should not be getting anything internal at all.

What DNS is your AP pulling?

Do the laptops have any custom host files in place?
Nolan Herring | nolanwifi.com
TwitterLinkedIn

The DNS server is the default 10.128.128.128 from client perspective, but the website which is inside lan has private IP address. It should be resolving to the public IP externally but it's trying to resolve internal. There is not custom host file. 

>The DNS server is the default 10.128.128.128 from client perspective

 

That is what clients get - no need to change that.  That request goes to the AP.

 

Change the DNS servers being used by the AP to external DNS servers and the users DNS queries will also go externally (via AP DNS proxy).

I agree with you @PhilipDAth  , although I'm curious now that I'm thinking about it. Having never used the feature, but original poster mentioned that he :

 

and have tried assigning content filtering to external DNS

 

Would that achieve the same thing as having the DNS that the access points use?


Always thought it would but never validated it.

Nolan Herring | nolanwifi.com
TwitterLinkedIn

I changed the DNS to google servers for resolution on the AP lan interface. That did make the it so nslookup would see the external IP address for the sites I was trying. When I used web browser it would not resolve the websites though. 

Try incognito mode
Also do a traceroute to the site your trying to reach (try internal and external to see where each path goes). Its possible because its also available via a private IP that there is something down the path routing wise that is forcing traffic destined for that site to go a specific way.
Nolan Herring | nolanwifi.com
TwitterLinkedIn
jdsilva
Kind of a big deal

Hey @MXanderson ,

 

From the sounds of things you've outgrown the Meraki DHCP SSID use cases and you should consider transitioning to a Guest SSID that bridges into a Guest VLAN. If you're "big" enough, and savvy enough to be running your own internal DNS servers then I think you would benefit greatly from shifting your guest wifi solution to one more scalable and flexible. 

 

 

 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

Change the DNS settings on your APs to using external public DNS servers instead of your internal DNS servers.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels