Skype split tunneling - adding external DNS entry to internal DNS servers

%3CLINGO-SUB%20id%3D%22lingo-sub-170385%22%20slang%3D%22en-US%22%3ESkype%20split%20tunneling%20-%20adding%20external%20DNS%20entry%20to%20internal%20DNS%20servers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-170385%22%20slang%3D%22en-US%22%3E%3CP%3EHello.%20We%20have%20done%20quite%20a%20bit%20of%20reading%20around%20split%20tunnelling%20with%20Skype%20and%20have%20been%20exploring%20the%20various%20options.%3C%2FP%3E%0A%3CP%3EWe%20have%20VPN%20clients%20that%20connect%20to%20internal%20DNS%20servers%20but%20that%20we%20wish%20to%20point%20Skype%20to%20the%20external%20address%20to%20bypass%20the%20VPN.%20We%20were%20wondering%20if%20adding%20a%20lyncdiscover%20DNS%20entry%20to%20the%20internal%20DNS%20servers%20might%20allow%20such%20clients%20to%20resolve%20the%20external%20address%20whilst%20using%20a%20client%20firewall%20to%20stop%20them%20communicating%20with%20the%20internal%20Skype%20address%20when%20connected%20using%20VPN%3F%3C%2FP%3E%0A%3CP%3EThis%20is%20something%20we%20haven't%20seen%20documented%20anywhere%20so%20rings%20some%20alarm%20bells%2C%20but%20might%20be%20easier%20than%20the%20alternatives%20if%20it%20doesn't%20break%20anything.%3C%2FP%3E%0A%3CP%3EThoughts%20please%20%3A)%3C%2Fimg%3E%3C%2FP%3E%0A%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-170385%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESkype%20for%20Business%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-170590%22%20slang%3D%22en-US%22%3ERe%3A%20Skype%20split%20tunneling%20-%20adding%20external%20DNS%20entry%20to%20internal%20DNS%20servers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-170590%22%20slang%3D%22en-US%22%3EThanks.%20Will%20test%20out.%3CBR%20%2F%3E%3CBR%20%2F%3EMark%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-170573%22%20slang%3D%22en-US%22%3ERe%3A%20Skype%20split%20tunneling%20-%20adding%20external%20DNS%20entry%20to%20internal%20DNS%20servers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-170573%22%20slang%3D%22en-US%22%3E%3CP%3ESkype%20client%20will%20try%20with%20lyncdiscoverinternal.%3CDOMAIN%3E%20before%20lyncdiscover.%3CDOMAIN%3E%20so%20there%20you%20will%20hit%20the%20first%20problem%20if%20you%20don't%20do%20DNS%20doctoring%20or%20use%20separated%20DNS%20for%20VPN%20and%20internal.%3C%2FDOMAIN%3E%3C%2FDOMAIN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESo%20if%20you%20can%20block%26nbsp%3B%3CSPAN%3Elyncdiscoverinternal%2C%20point%26nbsp%3Blyncdiscover%20to%20public%20IP%2C%20point%20meet%20etc%20to%20public%20addresses%20and%20block%20access%20to%20internal%20servers%20it%20should%20work%20for%20you.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-170480%22%20slang%3D%22en-US%22%3ERe%3A%20Skype%20split%20tunneling%20-%20adding%20external%20DNS%20entry%20to%20internal%20DNS%20servers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-170480%22%20slang%3D%22en-US%22%3E%3CP%3EThanks.%20We%20have%20looked%20into%20DNS%20doctoring%20but%20our%20network%20team%20would%20prefer%26nbsp%3Bnot%20to%20implement%20it%20hence%20wondering%20if%20we%20could%20just%20add%20the%20lyncdiscover%20record%20to%20our%20internal%20AD%20DNS%20servers%2C%20and%20by%20preventing%20clients%20from%20reaching%20the%20internal%20addresses%26nbsp%3Bover%20VPN%20(using%20client%20firewalls)%20force%20Skype%20external.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20are%20not%20using%20Server%202016%20DNS%20yet%20so%20don't%20have%20the%20options%20that%20offers%20for%20split%20tunnel%20scenarios%20so%20we%20wouldn't%20be%20able%20to%20change%20the%20other%20internal%20address%20resolutions%20(such%20as%20those%20you%20suggest%20need%20to%20resolve%20to%20127.0.0.1)%20so%20not%20sure%20if%20this%20would%20work%3F%20If%20it%20is%20simply%20name%20resolution%20that%20the%20client%20goes%20on%2C%20and%20lyncdiscoverinternal%20would%20still%20resolve%20then%20we%20wouldn't%20be%20able%20to%20try%20this%2C%20but%20if%20we%20could%20rely%20on%20the%20Skype%20client%20trying%20internal%2C%20failing%20and%20then%20going%20external%20it%20could%20be%20an%20option%3F%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%3C%2FP%3E%0A%3CP%3EMark%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-170428%22%20slang%3D%22en-US%22%3ERe%3A%20Skype%20split%20tunneling%20-%20adding%20external%20DNS%20entry%20to%20internal%20DNS%20servers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-170428%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYes%20you%20need%20to%20add%20lyncdiscover%20pointing%20to%20your%20public%20IP%20address%2C%20but%20your%20clients%20will%20still%20try%20to%20connect%20direct%20to%20your%20FrontEnd%20servers%20so%20you%20have%20to%20rewrite%20the%20dns%20names%20for%20those%20to%20127.0.0.1.%20You%20also%20have%20to%20make%20sure%20that%20your%20VPN%20clients%20get%20the%20public%20IP%20for%20web%20services%20as%20dialin%20and%20meet.%20And%20make%20sure%20that%20you%20can%20lookup%20the%20dns%20name%20for%20edge%20public%20services%20(access%2C%20av%20and%20webconf).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECisco%20calls%20this%20rewrite%20for%20DNS%20doctoring%2C%20this%20will%20make%20the%20client%20lookup%20the%20public%20IP%20adresses%20instead%20of%20internal%20and%20for%20servernames%20and%20lyncdiscoverinternal%20lookup%20127.0.0.1.%20This%20will%20force%20the%20client%20to%20use%20public%20IP%20addresses.%20Of%20cource%20you%20should%20also%20block%20TCP%2FUDP%20traffic%20to%20your%20Skype%20servers%20from%20VPN%20clients.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello. We have done quite a bit of reading around split tunnelling with Skype and have been exploring the various options.

We have VPN clients that connect to internal DNS servers but that we wish to point Skype to the external address to bypass the VPN. We were wondering if adding a lyncdiscover DNS entry to the internal DNS servers might allow such clients to resolve the external address whilst using a client firewall to stop them communicating with the internal Skype address when connected using VPN?

This is something we haven't seen documented anywhere so rings some alarm bells, but might be easier than the alternatives if it doesn't break anything.

Thoughts please :)

Thanks

4 Replies

Hi,

 

Yes you need to add lyncdiscover pointing to your public IP address, but your clients will still try to connect direct to your FrontEnd servers so you have to rewrite the dns names for those to 127.0.0.1. You also have to make sure that your VPN clients get the public IP for web services as dialin and meet. And make sure that you can lookup the dns name for edge public services (access, av and webconf).

 

Cisco calls this rewrite for DNS doctoring, this will make the client lookup the public IP adresses instead of internal and for servernames and lyncdiscoverinternal lookup 127.0.0.1. This will force the client to use public IP addresses. Of cource you should also block TCP/UDP traffic to your Skype servers from VPN clients.

 

 

Thanks. We have looked into DNS doctoring but our network team would prefer not to implement it hence wondering if we could just add the lyncdiscover record to our internal AD DNS servers, and by preventing clients from reaching the internal addresses over VPN (using client firewalls) force Skype external.

 

We are not using Server 2016 DNS yet so don't have the options that offers for split tunnel scenarios so we wouldn't be able to change the other internal address resolutions (such as those you suggest need to resolve to 127.0.0.1) so not sure if this would work? If it is simply name resolution that the client goes on, and lyncdiscoverinternal would still resolve then we wouldn't be able to try this, but if we could rely on the Skype client trying internal, failing and then going external it could be an option??

 

Thanks

Mark

Skype client will try with lyncdiscoverinternal.<domain> before lyncdiscover.<domain> so there you will hit the first problem if you don't do DNS doctoring or use separated DNS for VPN and internal.

 

So if you can block lyncdiscoverinternal, point lyncdiscover to public IP, point meet etc to public addresses and block access to internal servers it should work for you.