Question

Locked

DNS routing issues when the DNS server is connected to 2 networks

By GreyIT ·
I have a DC in charge of 2 networks,
network A (192.168.1.0/24) and
network B (192.168.2.0/24)

Network A has Gateway A (192.168.1.254)
Network B has Gateway B (192.168.2.254)

The DC runs a DNS which resolves all IPs for our workstations. The DNS links up to OpenDNS.

We are a school, so network A is our administration net, and network B is our student net. The student network is filtered by OpenDNS, the admin net is unfiltered.

DNS requests from workstations in network A should be routed by the server to gateway A, requests from workstations in network B should go to gateway B. If they do not, OpenDNS will not properly filter.

Currently, the DNS server routes all requests through gateway A, regardless of whether the request came from network A or B.
Network A is unfiltered at OpenDNS, so they return correct results which then get sent to workstations in network B, who can then surf unfiltered.

How can I force the DNS server to route the requests based on what network the request came from?
Since the DNS listens on 2 IP addresses, one in each network, I assume it is possible somehow to send the requests back to the gateways of their respective networks.

I have tried setting static default routes for each network to their respective gateway, but that does not seem to do the trick.

This conversation is currently closed to new comments.

25 total posts (Page 2 of 3)   Prev   01 | 02 | 03   Next
| Thread display: Collapse - | Expand +

All Answers

Collapse -

I read it that he wants DNS packets to be returned

by CG IT In reply to One server

to the originating network and then be sent out that network's default gateway. That's routing.

Collapse -

yes

by GreyIT In reply to I read it that he wants D ...

@CG IT: yes, with the condition that the DNS server is a member of both originating networks.

Collapse -

while yes that's what you want, the answer really is no....

by CG IT In reply to yes

that's not how it works. and this goes back to what's contained in the headers of packets and how routers and switches use that information to determine what to do with the packets. Source and destination information. Switches can read source information [MAC addresses] and determine if the packet's destination is in it's table. if so, it knows what port to send it to, simple switching. In routing, the router looks at the source and destination address to determine if the packet is destine for the local network or not. If not destine for the local network, the router then uses it routing table to determine if there is a static route for the traffic, if not then it send the packet to the default gateway [next hop router]. Otherwise, if the router doesn't know what to do with the packet, it drops it.

So a packet created in one subnet destined for another subnet, is not sent back to the originating subnet because it's not a destination listed in the header field of the packet. Its a source address.

Collapse -

routing

by GreyIT In reply to while yes that's what you ...

I know, but the server has no default gateway. So I'm guessing he gets the appropriate "way out" from consulting his static routing tables and finding the default route with the lowest cost; since the defaults both cost the same, I'm guessing again that it's a random procedure on who's the lucky gateway.

So the only way out will be to use 2 DNS servers I guess.

Collapse -

you actually have 2 DNS servers available

by CG IT In reply to while yes that's what you ...

to use for answering queries if you have access to the Internet.

This applies to how computers are used, what they have to have access to, and the desgin of your network.

Since you mention this is a school and students use computers at the school, without really saying what that environment is, and what they do with them, I'll venture a guess.

School Lab network segment. If those lab computers need access to the internet, you use the IPS provided DNS servers. Queries for web sites are sent to the ISPs DNS servers.

Private network segment, you use the private DNS server to answer queries for local network resources. Then if that DNS server can't answer, it's forwarded to root hint servers.

So you do have 2 DNS servers to use to provide internet access to all users without having what I would classify as public computers, those students use, on a private network that must be secured from public access.

Collapse -

subnets

by GreyIT In reply to basic networking stuff...

True, it's a right mess.
No, the DNS queries do not have to pass through another subnet to get at the DNS server; the server is in both local subnets.
I need it to forward the queries via the same subnet from which it received them; so queries from subnet A should go through the default gateway specified in the RRAS for subnet A; queries from subnet B should go the the default gateway specified in the RRAS for subnet B.

The inconsistencies in returns from OpenDNS servers to our DNS server can be handled by lowering the TTLs, I assume, so that the DNS will have to query on each request. Not the most elegant way, but if I connect our workstations to DNS query the outside directly, they won't be able to resolve internal IPs.

Collapse -

almost forgot

by GreyIT In reply to subnets

Oh yes, and the RRAS has static default routes defined for both NICs, so the DNS server has a way to the outside world on both networks, depending on which NIC it uses.

Collapse -

worst case scenario

by GreyIT In reply to replies

Worst case scenario I'm assuming the proxy server will have to filter the connections even if the DNS queries pass via the other (non-proxied) gateway.

Putting up a secondary DNS server and making each serve its own subnet, would that be a solution?
They'd still have to be somehow synced for internal IPs though, I'm assuming that wouldnt be too much of an issue, seeing as to how each subnet would obviously have different IPs for each unit.

The only worry I have is that if I set up a second DNS (with a second DC I was planning to add for redundancy), they will sync their external IP lists as well as their internal ones, making the seperate filtering per subnet a moot point again.

Collapse -

Thinking out loud

by mafergus In reply to worst case scenario

Wouldn't the worst-case scenario be to totally isolate the networks to prevent the posibbility of students breaching the Teacher's data?

I may be missing something, but the issue is getting a secondary ip for recognitiion of the "different" filters for the students. Since the teachers aren't using any, it may be easier just to point them at the new DNS server and assign it a new external IP. OpenDNS only works based on the IP of the requesting server.

Assuming that the server is running active directory, you would want to make it another primary server.

Collapse -

To add to mafergus

by CG IT In reply to Thinking out loud

If you have students using computers in a computer lab, or any computer on the school premises that isn't school administrative comptuers, the network segment they are on, doesn't need to use the school administrative network and it's resources like DNS to reach the internet.

If anything you don't want a network segment that students or anyone else, has access to either physically or logically that can access the administration network either logically or hopefully physically.

you can accomplish this, depending upon the physical networking equipment you have, through routing and switching .

Lab computers go directly to the internet via the perimeter router on their own network segment. School administrative network is seperated by their respective network segment and if the admin is smart, their own internal firewall [router] behind the perimeter router.

Back to Networks Forum
25 total posts (Page 2 of 3)   Prev   01 | 02 | 03   Next

Related Discussions

Related Forums