For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jason_Wilson_13's avatar
Jason_Wilson_13
Icon for Nimbostratus rankNimbostratus
Nov 20, 2013

Unable resolve internal DNS queries when using iOS and a split tunnel through APM

Hi All,   Am setting up APM for use as a SSL VPN for various different client systems. In general things are working well.   Do have a problem with iOS devices and DNS though. If I use a Full t...
BIG-IP Access Policy Manager (APM)
deployment
dns
security
ssl-vpn
kehu_136870's avatar
kehu_136870
Icon for Nimbostratus rankNimbostratus
Nov 20, 2013

Hi,

 

I have tried to figure out how DNS query works with Network Access setup/VPN tunnels for different devices as well.

 

  • have you specified DNS address space which would specify which DNS calls to send to your internal DNS server?
  • Is the DNS servers themselves included in the DNS address space (may not be necessary)?
  • have you specified the DNS servers in the IP address space to force traffic to the DNS servers through the tunnel?
  • if you have an ACL, you must open for DNS traffic as well.

Ideally, I would like to be able to limit which DNS entries are available to the client to avoid exposing the whole internal DNS structure - for all types of clients.

 

It may seem that different clients may not support certain functionality, such as Static DNS & DNS relay proxy (Windows only? - at least not Android). It also seems that specifying DNS address space may not be a secure way of limiting DNS mapping of internal DNS structure - for instance it seems to be able to resolve all reverse DNS lookups, allow zone transfers, packet sniffing DNS, not work for different OS, etc...

 

... and I may have misunderstod elements of this...

 

kenT