DNS over VPN

I have a VPN server running on Windows Server 2003.  I have port 1723 forwarded so that users can connect to the vpn through the firewall from the internet.  VPN connectivity is not my problem.  When I try to ping my mail server while on the VPN,  it is not using the internal IP address, it is wanting to go to the external IP address.  I have AT&T managed internet service and have a host record on AT&T DNS servers for the external IP.  What I don't understand is why it is not using my internal DNS servers to resolve this.  I have verified that once connected to VPN the computer is using my internal DNS servers to resolve this name.
LVL 1
Dale_GishAsked:
Who is Participating?
 
pseudocyberConnect With a Mentor Commented:
In XP, open c:\windows\system32\drivers\etc\hosts with notepad

put in the IP address with some spaces and the FQDN of the name.

Like this:

1.1.1.1    www.whatever.com

Save AS hosts and file type of "All Files"  - ensure notepad does not change hosts file to hosts.txt
0
 
pseudocyberCommented:
Only reason I can think of is perhaps it already has the name resolved in it's dns cache.  What if you connect the vpn and then do an ipconfig /flushdns and then try it - same problem?
0
 
gpriceeeCommented:
On your VPN adapter, set the DNS server to your network DNS address.
Open a cmd prompt and enter
ipconfig /flushdns

Then try.
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
gpriceeeCommented:
Whoops--didn't see pseudocyber's /flushdns command ;-)
0
 
pseudocyberCommented:
Great minds .... gpriceee ;)
0
 
Dale_GishAuthor Commented:
You guys are great, but that didn't do it.  When I connect to VPN it still wants to go to the internet IP.  I can tell you this, I can resolve all names when connected to VPN except for the 3 names that I have listed in my ATT DNS provisioning.
0
 
Robing66066Commented:
Silly question, but are you sure your workstations are trying to ping the correct name?  I'm assuming you are using a different FQDN for your mail server on the inside than on the outside.  I'm also assuming your mail server is hosted on site, rather than at AT&T.

For example, our mail server on the outside is mail.supersent.com, but on the inside it's mail.supersent.ads.  If you are just typing 'ping mail', it might be defaulted to the .com address instead of the internal .ads address.  (it shouldn't but I'd check what domain suffix your VPN'd workstations get when they connect...)

I am also curious about other DNS resolutions.  Do your VPN connected workstations use the internal DNS to resolve names for other devices in your office?
0
 
pseudocyberCommented:
When you're connected to VPN and you do an ipconfig /all, do you have your internal DNS listed as your DNS servers for the vpn connection?
0
 
gpriceeeCommented:
can you open a cmd prompt and enter
ipconfig /all
and post it?
0
 
pseudocyberCommented:
You're just too slow gprice!  ;)  LOL
0
 
Dale_GishAuthor Commented:
HI, yes the workstation is pinging the correct name.  I am running Exchange 2003 on site.  I am using the FQDN to ping.  Resolution works fine on the inside.  When connected to vpn the connection specific DNS suffix is correct.  I have verified that when connected to VPN the remote computers are using my internal DNS servers to resolve as I can ping any device I want just fine except for these 3 that I have host records for at ATT.  I just called my ATT DNS team, they are stumped as well.
0
 
Dale_GishAuthor Commented:
I am going to try something guys.  This didn't happen until I added a host record with ATT.  I have just noticed that the host record I added, was the same server as my VPN server.  I see a loop here somewhere, I have deleted this host record with ATT and are going to see what happens.  you guys are awesome
0
 
gpriceeeCommented:
pseudocyber, you're cracking me up!
Ha!
0
 
pseudocyberCommented:
BD
0
 
Dale_GishAuthor Commented:
Ha! was I suppose to laugh too guys
0
 
gpriceeeCommented:
Make sure you also run from the cmd prompt:
nbtstat -RR

Case sensitive
0
 
Dale_GishAuthor Commented:
already ran nbtstat gpriceee, good job  :-)
0
 
gpriceeeCommented:
What happens now when you ping your mail server by address requesting the name?
ping xxx.xxx.xxx.xxx -a
0
 
Dale_GishAuthor Commented:
Same thing

I am going to have to wait until ATT does their next dump, which is at 11am I think.  Then I will have to wait until COX DNS servers update.  I am testing from my computer at home.
0
 
Dale_GishAuthor Commented:
Although, when I am connected to VPN and ping my domain controller with the -a switch I still only get the IP address and not the name.
0
 
gpriceeeCommented:
Check your VPN config to see if outside DNS servers were configured.

Also, check out the following articel about resolution and VPNs: http://www.cisco.com/warp/public/471/vpn-net-hood.html
0
 
purplepomegraniteCommented:
Try this:

- Go into the properties of your VPN connection on the client
- From the Networking tab, go into TCP/IP properties
- Click Advanced
- Under the General tab, tick the box that says "Use default gateway on remote network"
- Ok everything

This forces the connection to use the VPN as the default route... and should force it to use the DNS server from the VPN connection also (otherwise the ISP's DNS will override the VPN, which sounds like what is happening).
0
 
Dale_GishAuthor Commented:
Thanks for the tip but that was the first thing I checked.  My VPN clients are using my internal DNS servers to resolve names.  I can ping my servers in 3 different countries as well as resolve their names.  It's only the 3 names that I have listed in ATT DNS that won't seem to resolve internally and keep wanting to go to the internet.  This is what makes this issue so interesting.

Example these have host records with the ISP.  I have services running on these servers that need to be hit from the internet

ServerA
ServerB
ServerC   from the internet resolve to xxx.xxx.xxx.xxx

When connected to VPN, they simply will not go to the internal IP addresses.  As mentioned above, this only happened after I added another host record with ATT DNS 2 days ago, which so happens to be the server that my VPN is on.  It's like it's looping back around or something.  Thanks for all your comments
0
 
Dale_GishAuthor Commented:
Does anyone know the proper way to modify a HOSTS file so that I can try forcing mail.domain.com to a specific IP.  as a test
0
 
Dale_GishAuthor Commented:
rock on pseudocyber buddy.  Pings fine now from VPN.  Still don't explain what's up with DNS but at least I can get the clients working and have more time for troubleshooting and analysis.  This site needs to have a buddy list.
0
 
pseudocyberCommented:
LOL @ buddy list.  :)  It's pretty much up there on the left called "top 15 yearly networking" :D
0
 
Dale_GishAuthor Commented:
Ha!    well since your in the mood to answer questions I got another one coming about DFS, wanna take a crack at it
0
 
pseudocyberCommented:
Thanks for the points Dale, but I really think they ought to be split between the Experts here who were helping on this issue.  All I really did was be the first to tell you how to modify the hosts file.  

If you want to split the points, you could make a request to an Administrator to allow you to do so and they can enable it.  Just post a question with a link back to this one in the Community Support forum:  http://www.experts-exchange.com/Community_Support/
0
 
jamesreeveCommented:
Check the network bindings - it sounds like the lan adaptor is bound above the vpn adaptor on the client.
In this situation the dns will resolve through the lan adaptor settings. This will result in vpn resources being resolved through public dns. If the binding can't be changed then it's documented in a technet article and can be fixed with a regedit.

Hope this helps !

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.