Solved

Windows VPN Connections Not Resolving Internal DNS

Posted on 2006-06-29
7
1,001 Views
Last Modified: 2012-05-05
I was debating what section to actually post this...

I have users making VPN connections through a Cisco PIX and authenticating via RADIUS to a Windows 2000 server running IAS and RRAS. My Mac OS X and Linux users, once connected are able to resolve addresses to their internal IP through our internal name server running BIND. However, Windows XP users when trying to resolve internal names in DNS recieve external IPs as if they were using another public DNS server.

In Windows XP, while connected through VPN, I can run ipconfig /all and see that the correct DNS Server is in place. However, when doing an nslookup, it's trying to use the local router of where the computer is VPN'ing from as the DNS server.  For example, I'm connected to my office VPN from home and when I run nslookup it is using my home router's IP as the default server. I've also tried doing an ipconfig /flushdns to no avail.

As I said, it's just on Windows where I have this problem and it's multiple if not all Windows VPN users. We have another main office that has pretty much an identical setup as mine except they use Microsoft DNS and when making a VPN connection to their network I have the same problem.

Any ideas?
0
Comment
Question by:icarus004
  • 2
7 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17022397
One thought; test if you can connect with the full computer and domain name as  \\ComputerName.domain.local  If so, add the suffix DomainName.local to the DNS configuration of the virtual private adapter/connection [ right click virtual adapter | properties | TCP/IP properties | Advanced | DNS | "Append these DNS suffixes (in order)" | Add ]
0
 
LVL 9

Accepted Solution

by:
muff earned 250 total points
ID: 17031177

Have you determined whether the internal DNS servers are accessible when the Windows XP vpn users are connected?

If you do

   nslookup
   server <internal dns>

Then type a name you want to resolve.  I am guessing this will work, because it works for the linux users.  So it is probably that the Windows machine is falling back to the local DNS servers (when you do ipconfig /all, do you see dns servers defined against the physical interfaces aswell as the logical interface created for the VPN?)

If this is the case, then it could be a timeout issue, the internal DNS servers are not responding quickly enough, or packets are being lost... which perhaps indicates a problem with the VPN itself.  Windows is much more sensitive to dns timeouts than linux.  Try to resolve a few addresses to see if you get any timeouts.

0
 
LVL 2

Author Comment

by:icarus004
ID: 17032708
In my original question I mentioned how when connected via VPN, ipconfig /all shows that I am using the internal name server but nslookup shows that the default server is my home gateway/router. When VPN'd in nslookup doesn't seem to query my internal NS at all as I get the external IP's when doing a lookup. That said, and probably should have mentioned earlier, I am able to resolve certain addresses that do not have a public record in an external DNS server.

Your question about dns servers defined for the physical interface as well as the VPN interface made a light go off for me.

Although connected to my network via VPN, Windows is still wanting to use the DNS entry for the physical interface. If it can't find a resolutioin there it than queries my internal name server which shows as the defualt in ipconfig but not nslookup. This is why I'm still able to resolve servers that do not have a public DNS entry. So... How do I force Windows VPN connections to only use my internal name server?  

I've tried forcing it under the Networking ---> TCP/IP properties of my VPN connection.
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 250 total points
ID: 17032877
>>"How do I force Windows VPN connections to only use my internal name server? "
You say you have tried forcing under TCP/IP properties. Is this by manually assigning the DNS servers? Should work.

The VPN client seems to get it's DNS servers from the actual server's configuration rather than from the DHCP scope. What does the VPN server have as it's DNS servers. It should have only your own internal DNS server/s and no ISP DNS servers. ISP DNS servers should be added as forwarders only.

You can also force all traffic through the tunnel by enabling the "use default gateway on remote network" option located under the advanced TCP/IP properties of the VPN/virtual network adapter. This is usually enabled by default, but will block local Internet access, and force all traffic through the tunnel.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now