[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

DNS over VPN

Posted on 2005-04-22
29
Medium Priority
?
2,537 Views
Last Modified: 2008-02-03
I have a VPN server running on Windows Server 2003.  I have port 1723 forwarded so that users can connect to the vpn through the firewall from the internet.  VPN connectivity is not my problem.  When I try to ping my mail server while on the VPN,  it is not using the internal IP address, it is wanting to go to the external IP address.  I have AT&T managed internet service and have a host record on AT&T DNS servers for the external IP.  What I don't understand is why it is not using my internal DNS servers to resolve this.  I have verified that once connected to VPN the computer is using my internal DNS servers to resolve this name.
0
Comment
Question by:Dale_Gish
  • 11
  • 8
  • 7
  • +3
29 Comments
 
LVL 27

Expert Comment

by:pseudocyber
ID: 13842491
Only reason I can think of is perhaps it already has the name resolved in it's dns cache.  What if you connect the vpn and then do an ipconfig /flushdns and then try it - same problem?
0
 
LVL 13

Expert Comment

by:gpriceee
ID: 13842524
On your VPN adapter, set the DNS server to your network DNS address.
Open a cmd prompt and enter
ipconfig /flushdns

Then try.
0
 
LVL 13

Expert Comment

by:gpriceee
ID: 13842532
Whoops--didn't see pseudocyber's /flushdns command ;-)
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
LVL 27

Expert Comment

by:pseudocyber
ID: 13842546
Great minds .... gpriceee ;)
0
 
LVL 1

Author Comment

by:Dale_Gish
ID: 13842661
You guys are great, but that didn't do it.  When I connect to VPN it still wants to go to the internet IP.  I can tell you this, I can resolve all names when connected to VPN except for the 3 names that I have listed in my ATT DNS provisioning.
0
 
LVL 7

Expert Comment

by:Robing66066
ID: 13842664
Silly question, but are you sure your workstations are trying to ping the correct name?  I'm assuming you are using a different FQDN for your mail server on the inside than on the outside.  I'm also assuming your mail server is hosted on site, rather than at AT&T.

For example, our mail server on the outside is mail.supersent.com, but on the inside it's mail.supersent.ads.  If you are just typing 'ping mail', it might be defaulted to the .com address instead of the internal .ads address.  (it shouldn't but I'd check what domain suffix your VPN'd workstations get when they connect...)

I am also curious about other DNS resolutions.  Do your VPN connected workstations use the internal DNS to resolve names for other devices in your office?
0
 
LVL 27

Expert Comment

by:pseudocyber
ID: 13842682
When you're connected to VPN and you do an ipconfig /all, do you have your internal DNS listed as your DNS servers for the vpn connection?
0
 
LVL 13

Expert Comment

by:gpriceee
ID: 13842685
can you open a cmd prompt and enter
ipconfig /all
and post it?
0
 
LVL 27

Expert Comment

by:pseudocyber
ID: 13842695
You're just too slow gprice!  ;)  LOL
0
 
LVL 1

Author Comment

by:Dale_Gish
ID: 13842725
HI, yes the workstation is pinging the correct name.  I am running Exchange 2003 on site.  I am using the FQDN to ping.  Resolution works fine on the inside.  When connected to vpn the connection specific DNS suffix is correct.  I have verified that when connected to VPN the remote computers are using my internal DNS servers to resolve as I can ping any device I want just fine except for these 3 that I have host records for at ATT.  I just called my ATT DNS team, they are stumped as well.
0
 
LVL 1

Author Comment

by:Dale_Gish
ID: 13842763
I am going to try something guys.  This didn't happen until I added a host record with ATT.  I have just noticed that the host record I added, was the same server as my VPN server.  I see a loop here somewhere, I have deleted this host record with ATT and are going to see what happens.  you guys are awesome
0
 
LVL 13

Expert Comment

by:gpriceee
ID: 13842771
pseudocyber, you're cracking me up!
Ha!
0
 
LVL 27

Expert Comment

by:pseudocyber
ID: 13842794
BD
0
 
LVL 1

Author Comment

by:Dale_Gish
ID: 13842816
Ha! was I suppose to laugh too guys
0
 
LVL 13

Expert Comment

by:gpriceee
ID: 13842819
Make sure you also run from the cmd prompt:
nbtstat -RR

Case sensitive
0
 
LVL 1

Author Comment

by:Dale_Gish
ID: 13842913
already ran nbtstat gpriceee, good job  :-)
0
 
LVL 13

Expert Comment

by:gpriceee
ID: 13842962
What happens now when you ping your mail server by address requesting the name?
ping xxx.xxx.xxx.xxx -a
0
 
LVL 1

Author Comment

by:Dale_Gish
ID: 13843149
Same thing

I am going to have to wait until ATT does their next dump, which is at 11am I think.  Then I will have to wait until COX DNS servers update.  I am testing from my computer at home.
0
 
LVL 1

Author Comment

by:Dale_Gish
ID: 13843182
Although, when I am connected to VPN and ping my domain controller with the -a switch I still only get the IP address and not the name.
0
 
LVL 13

Expert Comment

by:gpriceee
ID: 13843207
Check your VPN config to see if outside DNS servers were configured.

Also, check out the following articel about resolution and VPNs: http://www.cisco.com/warp/public/471/vpn-net-hood.html
0
 
LVL 24

Expert Comment

by:purplepomegranite
ID: 13843690
Try this:

- Go into the properties of your VPN connection on the client
- From the Networking tab, go into TCP/IP properties
- Click Advanced
- Under the General tab, tick the box that says "Use default gateway on remote network"
- Ok everything

This forces the connection to use the VPN as the default route... and should force it to use the DNS server from the VPN connection also (otherwise the ISP's DNS will override the VPN, which sounds like what is happening).
0
 
LVL 1

Author Comment

by:Dale_Gish
ID: 13843845
Thanks for the tip but that was the first thing I checked.  My VPN clients are using my internal DNS servers to resolve names.  I can ping my servers in 3 different countries as well as resolve their names.  It's only the 3 names that I have listed in ATT DNS that won't seem to resolve internally and keep wanting to go to the internet.  This is what makes this issue so interesting.

Example these have host records with the ISP.  I have services running on these servers that need to be hit from the internet

ServerA
ServerB
ServerC   from the internet resolve to xxx.xxx.xxx.xxx

When connected to VPN, they simply will not go to the internal IP addresses.  As mentioned above, this only happened after I added another host record with ATT DNS 2 days ago, which so happens to be the server that my VPN is on.  It's like it's looping back around or something.  Thanks for all your comments
0
 
LVL 1

Author Comment

by:Dale_Gish
ID: 13843874
Does anyone know the proper way to modify a HOSTS file so that I can try forcing mail.domain.com to a specific IP.  as a test
0
 
LVL 27

Accepted Solution

by:
pseudocyber earned 2000 total points
ID: 13843912
In XP, open c:\windows\system32\drivers\etc\hosts with notepad

put in the IP address with some spaces and the FQDN of the name.

Like this:

1.1.1.1    www.whatever.com

Save AS hosts and file type of "All Files"  - ensure notepad does not change hosts file to hosts.txt
0
 
LVL 1

Author Comment

by:Dale_Gish
ID: 13844000
rock on pseudocyber buddy.  Pings fine now from VPN.  Still don't explain what's up with DNS but at least I can get the clients working and have more time for troubleshooting and analysis.  This site needs to have a buddy list.
0
 
LVL 27

Expert Comment

by:pseudocyber
ID: 13844036
LOL @ buddy list.  :)  It's pretty much up there on the left called "top 15 yearly networking" :D
0
 
LVL 1

Author Comment

by:Dale_Gish
ID: 13844077
Ha!    well since your in the mood to answer questions I got another one coming about DFS, wanna take a crack at it
0
 
LVL 27

Expert Comment

by:pseudocyber
ID: 13844279
Thanks for the points Dale, but I really think they ought to be split between the Experts here who were helping on this issue.  All I really did was be the first to tell you how to modify the hosts file.  

If you want to split the points, you could make a request to an Administrator to allow you to do so and they can enable it.  Just post a question with a link back to this one in the Community Support forum:  http://www.experts-exchange.com/Community_Support/
0
 

Expert Comment

by:jamesreeve
ID: 20809406
Check the network bindings - it sounds like the lan adaptor is bound above the vpn adaptor on the client.
In this situation the dns will resolve through the lan adaptor settings. This will result in vpn resources being resolved through public dns. If the binding can't be changed then it's documented in a technet article and can be fixed with a regedit.

Hope this helps !

0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
In this article I will be showing you how to subnet the easiest way possible for IPv4 (Internet Protocol version 4). This article does not cover IPv6. Keep in mind that subnetting requires lots of practice and time.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question