?
Solved

VPN and DNS

Posted on 2006-05-01
19
Medium Priority
?
446 Views
Last Modified: 2010-03-17
Hi,

I'm uisng a netgear FVG318 VPN Firewall Router with a tunnel from a pc client running Netgear Prosafe Client VPN.  The vpn runs fine and I can ping all my linux servers using there static ip's (10.94.69.x), however I can't ping using domains xxx.donoss.lan over the VPN.  DNS is running on 10.94.69.2 a SUSE 10 box, 10.94.69.1 is the gateway(VPN Router).  Any idea's on how I can ping using the domains?

Many thanks

Andy

 
0
Comment
Question by:Donoss
  • 7
  • 6
  • 3
16 Comments
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 16579162
it's the domain internal?

do the clients have the DNS in their /etc/resolv.conf? (if not, then there is the problem. edit the file and replace nameserver row with your 10.94.69.2 nameserver, like here:)
------------------------------------
nameserver 10.94.69.2
domain donoss.lan
search donoss.lan
------------------------------------
this  on the clients. make sure your dns server can answer for queries to donoss.lan
0
 

Author Comment

by:Donoss
ID: 16580089
Sorry if I didn't make it clear but the clients are running XP and it is from here over the vpn that I can't ping using the domains e.g. obiwan.donoss.lan; skywalker.donoss.lan.  I can ping internally with no problem, but can't over the vpn.

Regards

Andy
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16580786
i've never used netgear's vpn device before but it sounds like your vpn clients either aren't being issued the ip for the internal dns or it is, but still is using the external dns servers.

at least in cisco firewall they have something called split-dns where you give a list of domain names that the vpn client is aware of so they would be forced to use the specified dns servers thru the vpn connection.  i've also come across some where the vpn connection will force all traffic thru the vpn and thus be forced to use the dns servers the vpn specifies.  that is all I can think of any way, check those settings

from the xp machines when they are logged in though, run an ipconfig /all to make sure that they are getting a dns server entry for the vpn connection, then do a
nslookup <name of server to lookup> <ip of ns server to query>
and make sure it resolves, then do
nslookup <name of server to lookup>
it should give the ip in the output of the dns server its trying to query
0
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

 

Author Comment

by:Donoss
ID: 16580842
Hi Cyclops,

ipconfig displays the dns address as the local ip address on my home network 192.168.0.1 which is the gateway.

Regards

Andy
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16580918
there's no dns entry specifying 10.94.69.2 then I take it when you are vpn'd in
0
 

Author Comment

by:Donoss
ID: 16581051
No,

All I can do is ping this sub-nets ips's, but no dns.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16581148
did you try the nslookup command
example:
nslookup obiwan.donoss.lan 10.94.69.2
while you were vpn'd in
0
 

Author Comment

by:Donoss
ID: 16581207
The following was displayed, and it did return the correct ip for obiwan!

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Andrew Norman>nslookup obiwan.donoss.lan 10.94.69.2
*** Can't find server name for address 10.94.69.2: Non-existent domain
Server:  UnKnown
Address:  10.94.69.2

Name:    obiwan.donoss.lan
Address:  10.94.69.4


C:\Documents and Settings\Andrew Norman>
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16581355
yup, its your vpn client either not being issued the ip for the inside dns server or your client just isn't using it.
0
 

Author Comment

by:Donoss
ID: 16581442
Any idea's how to resolve this using the netgear fvg318?

Many thanks

Andy
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16581634
never used it before, i'll have to go to netgear's stie to see if they have some user manuals I can look at to see if its possible or not.  are you using pptp or ipsec for vpn?
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16581762
the only type of vpn i saw was ipsec so I assume that's what you are using.  i never really saw anything to do with dns so to be quite honest I almost doubt you can do what you want to get accomplished with that device.  

how did you setup your profile on the client, did you tell it to forward all traffic thru the tunnel or only for that subnet.  even then I am not sure how you get it to obtain the dns server ip address and use that server

sorry i couldn't be of more help, but we do atleast know what the problem is; just that I don't know how to fix it, if its even fixable
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 16582806
Since  stated your clients are XP, and the vpn is *transparent* for them, because it is handled via your hardware devices; then you should have the DNS in your TCP/IP settings.

a) Can you ping the ip 10.94.69.2 ?
b) If you can ping: are you using DHCP?
c) If dhcp: have you configured your DHCP server to export the dns server ip and domain?
d) if not DHCP: did you configure XP tcp/ip settings to have the remote DNS as the default one, along with the correct domain (donoss.lan)?
0
 

Author Comment

by:Donoss
ID: 16584284
Guy's,

the vpn is ipsec.  I can ping 10.94.69.2 (dns server), however the pc client is getting its ip from the local lan (at home) which is 192.168.0.1, which is the dhcp server for he local lan.  The remote vpn router is also a dhcp server for the remote lan, this has 10.94.69.2 as the dns server and the isp's ip as the secondary dns server, could this be the problem?

many thanks

Andy
0
 
LVL 19

Accepted Solution

by:
Gabriel Orozco earned 1000 total points
ID: 16593365
you should edit your dhcp server for local lan, and tell it your dns will be 10.94.69.2.

this of course will be a problem if the vpn goes down

but if vpn continues up, then it should work well
0
 
LVL 25

Assisted Solution

by:Cyclops3590
Cyclops3590 earned 1000 total points
ID: 16595267
or you could hard code the DNS server into your connection and while you want to be VPN'd in, just change the DNS server IP.  be a pain, but if you have multiple machines on your remote lan, then at least the others won't be screwed up since they wouldn't be vpn'd in

of course, you could make the 10.94.69.2 a primary DNS server and your current DNS servers secondary.  This would make sure that your client would use the office dns server however if not logged in will make resolution of fqdn's longer and make the internet seem slower since every request would have to timeout on a server you couldn't communicate with without vpn
0

Featured Post

Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses
Course of the Month15 days, 4 hours left to enroll

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question