Company DNS queries through SSL VPN tunnel from home?

USG_User
USG_User Posts: 369  Master Member
First Anniversary 10 Comments Friend Collector First Answer
edited April 2021 in Security

Hi guys,

I've got a little lack of clarity. I would like to use a server share which is situated at the office server also at home.

The SSL VPN tunnel works and I could connect from home to that company server share by using server's IP address, i.e. \\192.168.21.234\data. But I would prefer to use the UNC path with server's name instead, like i.e. \\server1\data, but without forcing the entire traffic through the tunnel.

Company's DNS server address is transmitted when establishing the tunnel. All DNS queries from Zywall Tunnel are also allowed within the security policy control. And I'm also able to ping the DNS server at office from home.

But at home I have now two DNS servers, one from ISP and the other one from SSL VPN (Company). How could I setup the SSL VPN in USG110 that each VPN client is using Company's DNS server as seconds DNS, if it cannot resolve the company server name via ISP's DNS server?

All Replies

  • USG_User
    USG_User Posts: 369  Master Member
    First Anniversary 10 Comments Friend Collector First Answer

    I've figured out that the DNS resolving for company shares through the SSL VPN tunnel works, if the DNS suffix of our local company domain is added to the DNS settings in Windows network adapter settings for the VPN adapter at home.

    Is there an opportunity to set the DNS suffix in USG SSL VPN settings that this suffix is set automatically on all client machines when connecting?

  • USG_User
    USG_User Posts: 369  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited April 2020

    In the meantime I've changed my server share mapping scripts in that way that I use FQDN like \\server1.company.local\share instead of \\server1\share. This mapped server drive could be resolved through the tunnel. And because the DNS suffix "company.local" is already available, there is no need to define it in DNS adapter settings at home.

    Unfortunately with these FQDN names used in server shares, our Word serial letter functions don't longer work since Word wan't open connected serial word files from untrusted locations. Maybe it thinks that these files are originated from the Internet. Also changings in Word Trust Center didn't succeed.

    Now we are back to drive mappings with \\server1\data so that our serial letters at office work again. But this causes that I have to set the DNS suffix "company.local" manually in the adapter settings of the VPN on each client computer.

  • Jeremylin
    Jeremylin Posts: 166  Master Member
    First Anniversary First Answer First Comment
    edited April 2020

    The scenario seems similar like this thread

    https://businessforum.zyxel.com/discussion/comment/12847#Comment_12847

    The DNS query priority is based on the metric of interface, so try to make VPN interface metric small than "Ethernet".

  • USG_User
    USG_User Posts: 369  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited April 2020

    Hi Jeremylin,

    Thanks for your reply. But its not the problem to resolve the company names. This works now, either by mapping the shared drives by FQDN (i.e.: \\server1.company.local\share), or by adding the domain suffix (company.local) to the advanced DNS settings of the Windows VPN network adapter. Both has been tested succesfully. But the metric could be nevertheless interesting to shorten the response time of DNS queries. It seems that our company domain queries will be routed to ISP, and when without success, secondly routed through the tunnel to the other DNS server at company. This always takes about 5-7 seconds at the first time. Maybe it could be answered much faster, in case the DNS server at company will be asked at first. I will give it a try.

Security Highlight