question

DaveKwas avatar image
1 Vote"
DaveKwas asked Crystal-MSFT edited

DNS lookup issues with Microsoft Tunnel Gateway

Hey, So on my Intune journey for corporate managed Android, we have an app which will require the traffic being routed back via our network as it isn't publicly accessible.

I've setup the Tunnel Gateway and can confirm its healthily in Endpoint Manager, I have a configuration pushing to a test use and can confirm the Defender app connects to the Tunnel successfully. Its setup to use one NIC on the VM and is located in the DMZ.

In the server configuration I have the DNS pointing to the DNS I have in the DMZ and the split tunnel config set to the IP of the resource the app needs to hit.

From the tunnel VM I can ping the app resource via IP or via hostname so the VM is looking up by DNS ok. I can also ping Google.com so external DNS lookup is working ok. I can also access internet resources from the VM as it downloaded the files etc needed for building the Tunnel in the first place.

From the device as a test I've setup Edge to use the Tunnel VPN I can connect to the resource I want using IP but if I try using its FQDN is fails which suggests a DNS issue. I also can't access google.com from Edge.

Any pointers to where I might be going wrong?

mem-intune-general
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

Crystal-MSFT avatar image
0 Votes"
Crystal-MSFT answered DaveKwas commented

@DaveKwas, From your description, it seems the network access via Microsoft Tunnel Gateway is working well. But when we use FQDN it is failed. And google.com is also not accessible.

To clarify our issue, please firstly check if the issue is only with one Android device. If it is only with one, it seems the issue is on device side. we can try to clear the cache on the device and restart the device to see if it can work.

If the issue is not only on this affected device, based on my experience, we can check if we get the correct DNS server we want. On DNS server, check if the DNS request has been sent to the DNS server and if it get any error when resolve the FQDN. Also we can view Microsoft Tunnel logs to see if there's any more finding.
https://docs.microsoft.com/en-us/mem/intune/protect/microsoft-tunnel-monitor#view-microsoft-tunnel-logs

If we want the help to look into the logs, to protect the sensitive information in your environment, we suggest to open case to troubleshoot on it. Here is a link with the steps to open case for your reference:
https://docs.microsoft.com/en-us/mem/get-support

Thanks for your understanding.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaveKwas avatar image DaveKwas ·

Hi, Thanks for your suggestions above.

I'm afraid I've only got access to the single device for testing at the moment as we don't buy in 'spare' devices so unfortunately I'm stuck with that device for now.

The DNS server is provided as part of a Fortigate firewall I'm not overly familiar with it enough to check the requests services by its DNS. It does allow for packet capture so I've been able to capture on the DMZ interface and can confirm that when accessing the resource via IP address, the traffic flow is captured in the packet capture but when trying to access via the FQDN there is no packet capture at all which suggests the request isn't leaving the device and being tunnelled.

I think like you suggest I might look to open up a support case for the issue and see where that takes me.

0 Votes 0 ·
Crystal-MSFT avatar image Crystal-MSFT DaveKwas ·

@DaveKwas,Thanks for your reply. From your description, I know when trying FQDN, no package is captured. In this situation, we need to check on the device side to see if the issue is on the device side or it goes to a wrong place. I notice you might open a case to look into the issue. if it is fixed in the case, I appreciate your help to share the resolution here to help others who has the same issue.

Thanks for your help in advance. Have a nice day!

0 Votes 0 ·
DaveKwas avatar image DaveKwas Crystal-MSFT ·

Hi,

The issue ended up being a missed firewall config in the perimeter in which only TCP 443 was open. On adding UDP 443 into the rule as well, DNS started to work as you would expect. I’ve been able to prove it’s working while the VPN is open and while configured for various split tunnel setups.

Hope this can help someone else in the future.

0 Votes 0 ·
Crystal-MSFT avatar image
0 Votes"
Crystal-MSFT answered Crystal-MSFT edited

@DaveKwas,Thanks for sharing the solution. I appreciate it. To help others who have the same issue. Here, Please let me write a brief summary for our issue:

Issue definition:

==========================
After set Edge to use the Tunnel VPN, connect to the resource by IP is working but if we choose its FQDN, it is failed with a DNS issue. And google.com is also not accessible at that time.

Resolution:

===========================
The issue is caused by a missed firewall config in the perimeter in which only TCP 443 was open. On adding UDP 443 into the rule as well, DNS started to work.

Thanks for your time and have a nice day!

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.




5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.