Windows VPN Connections Not Resolving Internal DNS

I was debating what section to actually post this...

I have users making VPN connections through a Cisco PIX and authenticating via RADIUS to a Windows 2000 server running IAS and RRAS. My Mac OS X and Linux users, once connected are able to resolve addresses to their internal IP through our internal name server running BIND. However, Windows XP users when trying to resolve internal names in DNS recieve external IPs as if they were using another public DNS server.

In Windows XP, while connected through VPN, I can run ipconfig /all and see that the correct DNS Server is in place. However, when doing an nslookup, it's trying to use the local router of where the computer is VPN'ing from as the DNS server.  For example, I'm connected to my office VPN from home and when I run nslookup it is using my home router's IP as the default server. I've also tried doing an ipconfig /flushdns to no avail.

As I said, it's just on Windows where I have this problem and it's multiple if not all Windows VPN users. We have another main office that has pretty much an identical setup as mine except they use Microsoft DNS and when making a VPN connection to their network I have the same problem.

Any ideas?
Who is Participating?

Improve company productivity with a Business Account.Sign Up

muffConnect With a Mentor Commented:

Have you determined whether the internal DNS servers are accessible when the Windows XP vpn users are connected?

If you do

   server <internal dns>

Then type a name you want to resolve.  I am guessing this will work, because it works for the linux users.  So it is probably that the Windows machine is falling back to the local DNS servers (when you do ipconfig /all, do you see dns servers defined against the physical interfaces aswell as the logical interface created for the VPN?)

If this is the case, then it could be a timeout issue, the internal DNS servers are not responding quickly enough, or packets are being lost... which perhaps indicates a problem with the VPN itself.  Windows is much more sensitive to dns timeouts than linux.  Try to resolve a few addresses to see if you get any timeouts.

Rob WilliamsCommented:
One thought; test if you can connect with the full computer and domain name as  \\ComputerName.domain.local  If so, add the suffix DomainName.local to the DNS configuration of the virtual private adapter/connection [ right click virtual adapter | properties | TCP/IP properties | Advanced | DNS | "Append these DNS suffixes (in order)" | Add ]
icarus004Author Commented:
In my original question I mentioned how when connected via VPN, ipconfig /all shows that I am using the internal name server but nslookup shows that the default server is my home gateway/router. When VPN'd in nslookup doesn't seem to query my internal NS at all as I get the external IP's when doing a lookup. That said, and probably should have mentioned earlier, I am able to resolve certain addresses that do not have a public record in an external DNS server.

Your question about dns servers defined for the physical interface as well as the VPN interface made a light go off for me.

Although connected to my network via VPN, Windows is still wanting to use the DNS entry for the physical interface. If it can't find a resolutioin there it than queries my internal name server which shows as the defualt in ipconfig but not nslookup. This is why I'm still able to resolve servers that do not have a public DNS entry. So... How do I force Windows VPN connections to only use my internal name server?  

I've tried forcing it under the Networking ---> TCP/IP properties of my VPN connection.
Rob WilliamsConnect With a Mentor Commented:
>>"How do I force Windows VPN connections to only use my internal name server? "
You say you have tried forcing under TCP/IP properties. Is this by manually assigning the DNS servers? Should work.

The VPN client seems to get it's DNS servers from the actual server's configuration rather than from the DHCP scope. What does the VPN server have as it's DNS servers. It should have only your own internal DNS server/s and no ISP DNS servers. ISP DNS servers should be added as forwarders only.

You can also force all traffic through the tunnel by enabling the "use default gateway on remote network" option located under the advanced TCP/IP properties of the VPN/virtual network adapter. This is usually enabled by default, but will block local Internet access, and force all traffic through the tunnel.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.