locked
Logon/DNS Question RRS feed

  • Question

  • Hi

    We have a few branch offices and I have created VPN tunnels between the firewalls in each branch office and our head office firewall. There are only a couple of PC's and Laptops in each of the remote offices so do not warrant their own server. Each office has its own internet connection

    At the moment I have the PC's and Laptops configured to use the DNS server at our head office so that they are authenticated at Logon. The problem is that all their subsequent DNS requests i.e. for internet access go through the VPN tunnel to the DNS server at head office. I would like the DNS requests for internet pages to be locally from their own firewall that provides the internet access. If I set the PC's and laptops to use the firewall as the DNS server obviously they can get internet pages but are not then authenticated at logon and this then causes issues when accessing resources in our domain.

    Is there any way this can be done?

    Thanks

    Thursday, August 12, 2010 1:09 PM

Answers

  • The primary DNS server configured on the DNS clients is the first DNS server that will be contacted for the DNS resolution:

    1- If you will use the DNS server in the branch office so it will be used for local authentication and internet access

    2- If you will use the firewall so you will have a problem with the local authentication because conditional forwarders are not configured.

    The only one solution for your problem is to have conditional forwarders configured on the firewall. The feasability of a such configuration depends of the used firewall.

    Best regards.

    Thursday, August 12, 2010 2:51 PM
  • Hi Powerade  ,

     

    Thanks for post here.

     

    You may like to verify that if the firewall support conditional forward feature , if yes , then you may like to set forward your company domain name query to HQ office DNS, and all clients in branch office could use firewall as the DNS server.

     

    Another option is little complex. Disable  DNS forward and root hint on you HQ DNS server , deploy a new DNS server which only in charge of internet query for HQ computers . Set primary DNS entry to HQ internal DNS server address and firewall address as the secondary DNS server  for clients in branch office.

     

    Hope that’s helpful

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, August 13, 2010 5:21 AM

All replies

  • The primary DNS server configured on the DNS clients is the first DNS server that will be contacted for the DNS resolution:

    1- If you will use the DNS server in the branch office so it will be used for local authentication and internet access

    2- If you will use the firewall so you will have a problem with the local authentication because conditional forwarders are not configured.

    The only one solution for your problem is to have conditional forwarders configured on the firewall. The feasability of a such configuration depends of the used firewall.

    Best regards.

    Thursday, August 12, 2010 2:51 PM
  • Hi Powerade  ,

     

    Thanks for post here.

     

    You may like to verify that if the firewall support conditional forward feature , if yes , then you may like to set forward your company domain name query to HQ office DNS, and all clients in branch office could use firewall as the DNS server.

     

    Another option is little complex. Disable  DNS forward and root hint on you HQ DNS server , deploy a new DNS server which only in charge of internet query for HQ computers . Set primary DNS entry to HQ internal DNS server address and firewall address as the secondary DNS server  for clients in branch office.

     

    Hope that’s helpful

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, August 13, 2010 5:21 AM
  • Thanks Guys

    Sounds like the firewall Conditional Forward is the way forward then.

    Thanks again

    Friday, August 13, 2010 8:37 AM
  • You are welcome, please mark as helpful and as response the replies that helped you to solve your problem.

    Best regards.

    Friday, August 13, 2010 3:32 PM