DNS issues in site to site PPTP VPN connection

Posted on 2008-06-23
Last Modified: 2012-08-14
I have created a site to site PPTP bridge between 2 domain controllers. The connection is persistent and seems to never go down.

I am have odd DNS issues. If I am on the calling machine and I ping the remote machine I get the remote servers IP address and all is right with the world. If I on the called machine and ping the calling machine it resolves to the local IP address and I get no replies.

How can I force the "called" machine to use the IP address it assigns the "calling" machine so I can mantain connectivity and replication?

Question by:skione
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 14

Expert Comment

ID: 21849173
You may get a better solution if you tell us what you are actually trying to accomplish instead of the problem you see when performing a troubleshooting step like ping.  Also, it will be very helpful to know what type of VPN end-point you are utilizing (specific firewall brand, Windows RRAS, etc)

Generally a PPTP VPN is used so that the calling machine can get access to the network (not for reversing the communication path), so the behavior you describe is not necessarily unusual.  A quick solution, if your endpoint supports this, is to enable dynamic DNS updates.  That way the endpoint will create a DNS entry whenever it passes out a DHCP IP.

If the endpoint does not support this feature, maybe it will use pass-through DHCP IP assignment (meaning that the PPTP VPN endpoint pulles IP addresses from the Windows DHCP server instead of using it's own self contained pool).  Then all you would need to do is be sure your DHCP pool is set to update DNS.

Author Comment

ID: 21849228
I am using a site-to-site PPTP VPN connection between Windows 2003 Domain Controllers that are members of the same domain. I am doing this via windows routing and remote access.

IP addresses are static on both (since both DCs host DNS servers) and IP address to the VPN client DC is assigned dynamically from an address pool.

The problem is that when it connects it replicates DNS information including all the IP addresses assigned to the client DC.

Then when I try to ping the client by host name it returns the primary IP address of that machine which is on the wrong subnet. I can see that it does indeed register the dynamically assigned address but chooses to ignore it.

If I could somehow force it to use the IP assigned by the VPN server on the VPN server I would be set and all my troubles would go away.

I hesitate using anything like a host file as the IP does change and obvioulsy that would cause a real problem.

Hopefully this provides more information.
LVL 14

Assisted Solution

mds-cos earned 25 total points
ID: 21849454
OK, got it.  

Let's approach this problem from a different perspective.  A PPTP VPN tunnel is generally used so that client computers can connect remotely to your network (without having to get any client software or jump through any configuration hoops).  An IPSEC VPN tunnel, on the other hand, is almost always the right chocie for a site-to-site VPN (not to mention IPSEC is more secure than PPTP).

I think your best approach to this problem would be to set up an IPSEC tunnel between the servers in place of the PPTP tunnel.  This will not only resolve your DNS issue, but will also put you into more of a "best practices" situation that should better serve down the road.

I also have to point out that running site-to-site VPN through a good firewall will probably save you some grief down the line.  I have yet to see a RRAS server *not* develop problems at some point during it's life.  You will most likely end up spending more in support and troubleshooting of RRAS than you will initially spend investing in a couple quality firewalls.

If you don't like either of these approaches, here is one way that you can force DNS to behave as you want to (but I do not recommend this except as a lab excercise, since it may break some inter-site functionality depending on what else you have going on).  Set up your DNS zones as standard primary zones rather than AD integrated.  Now hard-code the "correct" IP address of each server into the DNS zone.  Do not turn on replication of these zones.  Now the servers will not pass "wrong" addresses to each other.

Author Comment

ID: 21849515
Well converting over to IPSec might be something I do but for right now PPTP is working ok.

I can't use static addresses as there is no way to assign an address statically when connecting via a VPN connection. The address has to come from an address pool of some sorts.

I just made some changes, most notably, I made the VPN server listen only to the now WAN IP addresses.

Now it seems to be working correctly.

Hopefully it will last.

Accepted Solution

skione earned 0 total points
ID: 21849536

Featured Post

Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question