Remote users have domain name resolution issues when in house using internal DNS

Posted on 2007-12-03
Last Modified: 2010-08-05
I have 3 domain controllers all running Windows 2003 Server R2 with dns installed. I have some users that travel and work from home. Those users have issues resolving our websites because dns is resolving them to the external IP instead of the internal local IP. If they repair their network connection this usually fixes it. Below is a very detailed explanation of the problem I found online but the solution they proposed did not work properly in my environment.

"Another problem is that you are connected to the internet but there is a conflict between the DNS name you are using internally and the same domain name that is registered on the internet.  Confusion may be caused by your web server or your Exchange server registering the same domain name but with a different IP address.   For instance your ISP or InterNic may have legitimately assigned a different IP address for your domain name."

Question by:IsaacWeathers
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
LVL 11

Expert Comment

ID: 20397756
Are your DNS servers public? Do they heve a public IP?
How do your users connect from home to the server?

If they have a permanent connection to the Internet and your NS Ips are public, then they must set on there LAN connection TCP/IP-prperties Primary/Preffered DNS and Secondary/Alternative DNS = your public ips

Author Comment

ID: 20397811
DNS servers are internal not public. They do not have a public ip. Remote users are getting on our network via Microsoft VPN client. Our remote and local users are all DHCP and the DNS ips that we assign to networking settings are all internal IPs. None of the dns entries in the tcp/ip properties are pointing to public dns servers (it is recommended you only use internal dns and use dns server to foward requests for domain names it can't resolve to public dns servers)
LVL 11

Expert Comment

ID: 20397879
If you have configured the VPN Client or PPTP client to use the same group as that of the SSL VPN Client, ensure that you have enabled IPsec on the group where the client connects. This resolves the DNS issue.
Are You Headed to Black Hat USA 2017?

Getting ready for Black Hat next week? Kick things off with the WatchGuard Badge Challenge and test your puzzle and cipher skills. Do you have what it takes to earn our limited edition Firebox Badge? Get started today -

LVL 11

Expert Comment

ID: 20397918
I did not read all of the article -but- maybe you can read it...

Name resolution issues for the VPN client are often problematic. The Firewall client needs to be able to resolve the name of the ISA Server to the internal IP address of the ISA Server. You might think configuring a WINS and DNS server would be enough, but Ive found the results to be somewhat inconsistent, even when Ive gone out of my way to create a WINS referral zone in DNS. The best solution is to configure the VPN client to receive an address of a DNS server that can resolve the name of the internal interface of the ISA Server to its internal IP address
LVL 11

Expert Comment

ID: 20397956
Something that I came up now...
Does your remote users have set the DNS suffix on there connection? That might resolve the issue.

Author Comment

ID: 20398272
Maybe I need to give an example. We have a group of users that have laptops. These users rarely come to the office. Most of the time they work off the network but when they connect to the VPN they are no longer able to connect to our websites that are hosted internally. The reason is that DNS resolves to an external IP instead of the internal IP. Firewall does not allow a user in the network to go outside the network to come back in to the external IP. Does that make more sense? Almost as if the Internal DNS servers had not been queried instead old cached dns requests had been used. This is why repairing connection usually works because the cache is cleared.
LVL 11

Accepted Solution

AkisC earned 500 total points
ID: 20398405
Goto to the Advanced TCP/IP properties of each "home user" and uncheck the Enable LMHOSTS lookup checkbox
Also check Enable BIOS iver TCP/IP

If that does not resolve the problem... A Work around...(?)
When you click repair connection the OS
attempts to renew the DHCP lease, if the connection obtains its IP address through DHCP, using a broadcast message.
Flushes the Address Resolution Protocol (ARP) cache using the command arp -d *
Flushes the NetBIOS cache using the command nbtstat -R
Flushes the DNS cache using the command ipconfig /flushdns
Reregisters the NetBIOS name and IP address with WINS using the command nbtstat -RR
Reregisters the computer name and IP address with DNS using the command ipconfig /registerdns

Create and install a script (on the users computer) that does all the above before it connects to your VPN .


Author Comment

ID: 20457113
I have been testing your solution with about 4 of the people having this problem. It seems that the work around is the only fix for it. None of the other fixes suggested have worked. The only problem I have is that I don't want to be having this script run every time a person logs on. I need something better not just a workaround.

Author Closing Comment

ID: 31422252
The proposed solution was just a bandaid. I would prefer to know the root cause of the issue not just run a script when it happens to fix it.

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have a multi-homed DNS setup in windows, you can have issues with connectivity to the server that hosts the DNS services (or even member servers of your domain if this same DNS server is a DC). This is because windows registers all of its IPs…
Resolve DNS query failed errors for Exchange
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question