First, let me start by saying I am a SysAdmin by trade, and not very strong when it comes to networking. That said, I've encountered a scenario and I'm not sure what is theoretically possible. Hopefully there is enough relevant detail (will provide any gaps identified).
In short, we need to allow DNS resolution to work from Client to Hosted App. The layout is:
Client <---VPN---> Us <---Private Circuit---> Hosted App
The private Internet connection between Us and Hosted App was a vendor requirement. Internally, we use Microsoft DNS (Server 2016). We have conditional forwarders setup to resolve resources in Hosted App datacenters. DNS resolution needs to be extended to Client for the hosted app to function (we cannot allow Client <--VPN--> Hosted App due to Hosted Vendor's requirements).
Our DNS servers have conditional forwarders to resolve the hosted vendor's resources (e.g. contoso.hostedapp.com). Hosted App allocated 10.15.0.0/19 for our IP space. Unfortunately, that IP space is also in use at Client. So, while we can NAT our DNS server's IP address to allow DNS requests to reach us, when a Client machine requests DNS for contoso.hostedapp.com, our DNS server will return an address in the vendor provided 10.15.0.0/19 range, which Client already uses internally. We cannot change the vendor provided IP space (10.15.0.0/19), and Client states they cannot abandon the IP space either.
Given the above, are there any known ways out of this issue that others have implemented? This is where my networking ignorance will show. As just an example, could we somehow translate the DNS responses for Hosted App resources when our DNS servers respond to Client devices to overcome the IP overlap? Or is the right solution that "something's gotta give" regarding the IP space?
Edit: Formatting and typos
No comments:
Post a Comment