Hey guys,
So we have officially released our PBR solution for our sites in an alpha stage. But we have a small problem. The internal hosts that access internal resources do so with the internal routes, but their traffic that matches external IPs go out our secondary connection. The problem is... is that they access the internet unfiltered. the DNS lookup goes to our internal DNS then it routes outside and bypass all of our content filtering onsite, and on the cloud.
So this is what I am thinking. Is it possible to convert the local routers to run split-DNS and have internal queries go to our internal forwarders, and external queries go to our cloud filters, so this way they cannot bypass the filters.
EDIT:
After doing some research I think I found the answer
ip dns view INTERNAL
domain name-server 10.x.x.x
domain name-server 172.x.x.x
dns forwarding source-interface FastEthernet0/0
!
ip dns view EXTERNAL
domain name-server 208.x.x.22
domain name-server 208.x.x.2
dns forwarding source-interface FastEthernet0/0
!
ip dns view-list DNS
view INTERNAL 10
restrict source access-group INTERNAL_NETWORKS
view EXTERNAL 100
!
ip dns server view-group DNS
ip dns server
I have no direct XP on this but did you follow the doco?
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dns/configuration/15-mt/dns-15-mt-book/dns-spl-dns.html#GUID-0A4E2D17-8D3C-4F11-8110-CF2E569CB24C
yes I did ... I must have missed something, I am going to work with TAC and see what we can come up with.