Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Windows VPN Connections Not Resolving Internal DNS

Posted on 2006-06-29
Medium Priority
Last Modified: 2012-05-05
I was debating what section to actually post this...

I have users making VPN connections through a Cisco PIX and authenticating via RADIUS to a Windows 2000 server running IAS and RRAS. My Mac OS X and Linux users, once connected are able to resolve addresses to their internal IP through our internal name server running BIND. However, Windows XP users when trying to resolve internal names in DNS recieve external IPs as if they were using another public DNS server.

In Windows XP, while connected through VPN, I can run ipconfig /all and see that the correct DNS Server is in place. However, when doing an nslookup, it's trying to use the local router of where the computer is VPN'ing from as the DNS server.  For example, I'm connected to my office VPN from home and when I run nslookup it is using my home router's IP as the default server. I've also tried doing an ipconfig /flushdns to no avail.

As I said, it's just on Windows where I have this problem and it's multiple if not all Windows VPN users. We have another main office that has pretty much an identical setup as mine except they use Microsoft DNS and when making a VPN connection to their network I have the same problem.

Any ideas?
Question by:icarus004
  • 2
LVL 78

Expert Comment

by:Rob Williams
ID: 17022397
One thought; test if you can connect with the full computer and domain name as  \\ComputerName.domain.local  If so, add the suffix DomainName.local to the DNS configuration of the virtual private adapter/connection [ right click virtual adapter | properties | TCP/IP properties | Advanced | DNS | "Append these DNS suffixes (in order)" | Add ]

Accepted Solution

muff earned 1000 total points
ID: 17031177

Have you determined whether the internal DNS servers are accessible when the Windows XP vpn users are connected?

If you do

   server <internal dns>

Then type a name you want to resolve.  I am guessing this will work, because it works for the linux users.  So it is probably that the Windows machine is falling back to the local DNS servers (when you do ipconfig /all, do you see dns servers defined against the physical interfaces aswell as the logical interface created for the VPN?)

If this is the case, then it could be a timeout issue, the internal DNS servers are not responding quickly enough, or packets are being lost... which perhaps indicates a problem with the VPN itself.  Windows is much more sensitive to dns timeouts than linux.  Try to resolve a few addresses to see if you get any timeouts.


Author Comment

ID: 17032708
In my original question I mentioned how when connected via VPN, ipconfig /all shows that I am using the internal name server but nslookup shows that the default server is my home gateway/router. When VPN'd in nslookup doesn't seem to query my internal NS at all as I get the external IP's when doing a lookup. That said, and probably should have mentioned earlier, I am able to resolve certain addresses that do not have a public record in an external DNS server.

Your question about dns servers defined for the physical interface as well as the VPN interface made a light go off for me.

Although connected to my network via VPN, Windows is still wanting to use the DNS entry for the physical interface. If it can't find a resolutioin there it than queries my internal name server which shows as the defualt in ipconfig but not nslookup. This is why I'm still able to resolve servers that do not have a public DNS entry. So... How do I force Windows VPN connections to only use my internal name server?  

I've tried forcing it under the Networking ---> TCP/IP properties of my VPN connection.
LVL 78

Assisted Solution

by:Rob Williams
Rob Williams earned 1000 total points
ID: 17032877
>>"How do I force Windows VPN connections to only use my internal name server? "
You say you have tried forcing under TCP/IP properties. Is this by manually assigning the DNS servers? Should work.

The VPN client seems to get it's DNS servers from the actual server's configuration rather than from the DHCP scope. What does the VPN server have as it's DNS servers. It should have only your own internal DNS server/s and no ISP DNS servers. ISP DNS servers should be added as forwarders only.

You can also force all traffic through the tunnel by enabling the "use default gateway on remote network" option located under the advanced TCP/IP properties of the VPN/virtual network adapter. This is usually enabled by default, but will block local Internet access, and force all traffic through the tunnel.

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month12 days, 12 hours left to enroll

579 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question