Forum Discussion

Jason_Wilson_13's avatar
Jason_Wilson_13
Icon for Nimbostratus rankNimbostratus
Nov 20, 2013

Unable resolve internal DNS queries when using iOS and a split tunnel through APM

Hi All,

 

Am setting up APM for use as a SSL VPN for various different client systems. In general things are working well.

 

Do have a problem with iOS devices and DNS though. If I use a Full tunnel (i.e. dont allow split tunnels) then resolving of internal DNS names works fine. Though when I change to allow a split tunnel (so that the users can access other Internet resources) then DNS requests don't seem to come in through the tunnel at all.

 

If I do a tcpdump on the F5 I don't see any DNS requests at all - hence internal addresses won't resolve. I am guessing that it is using the carriers DNS servers instead of the ones I have specified?

 

Is there a known way to resolve this? Is this a general iOS limitation or a limitation (or misconfiguration) of the VPN on the F5?

 

Jason

 

BIG-IP Access Policy Manager (APM)
deployment
dns
security
ssl-vpn
  • kehu_136870's avatar
    kehu_136870
    Icon for Nimbostratus rankNimbostratus
    Nov 20, 2013

    Hi,

     

    I have tried to figure out how DNS query works with Network Access setup/VPN tunnels for different devices as well.

     

    • have you specified DNS address space which would specify which DNS calls to send to your internal DNS server?
    • Is the DNS servers themselves included in the DNS address space (may not be necessary)?
    • have you specified the DNS servers in the IP address space to force traffic to the DNS servers through the tunnel?
    • if you have an ACL, you must open for DNS traffic as well.

    Ideally, I would like to be able to limit which DNS entries are available to the client to avoid exposing the whole internal DNS structure - for all types of clients.

     

    It may seem that different clients may not support certain functionality, such as Static DNS & DNS relay proxy (Windows only? - at least not Android). It also seems that specifying DNS address space may not be a secure way of limiting DNS mapping of internal DNS structure - for instance it seems to be able to resolve all reverse DNS lookups, allow zone transfers, packet sniffing DNS, not work for different OS, etc...

     

    ... and I may have misunderstod elements of this...

     

    kenT