Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


DNS issues in site to site PPTP VPN connection

Posted on 2008-06-23
Medium Priority
Last Modified: 2012-08-14
I have created a site to site PPTP bridge between 2 domain controllers. The connection is persistent and seems to never go down.

I am have odd DNS issues. If I am on the calling machine and I ping the remote machine I get the remote servers IP address and all is right with the world. If I on the called machine and ping the calling machine it resolves to the local IP address and I get no replies.

How can I force the "called" machine to use the IP address it assigns the "calling" machine so I can mantain connectivity and replication?

Question by:skione
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 14

Expert Comment

ID: 21849173
You may get a better solution if you tell us what you are actually trying to accomplish instead of the problem you see when performing a troubleshooting step like ping.  Also, it will be very helpful to know what type of VPN end-point you are utilizing (specific firewall brand, Windows RRAS, etc)

Generally a PPTP VPN is used so that the calling machine can get access to the network (not for reversing the communication path), so the behavior you describe is not necessarily unusual.  A quick solution, if your endpoint supports this, is to enable dynamic DNS updates.  That way the endpoint will create a DNS entry whenever it passes out a DHCP IP.

If the endpoint does not support this feature, maybe it will use pass-through DHCP IP assignment (meaning that the PPTP VPN endpoint pulles IP addresses from the Windows DHCP server instead of using it's own self contained pool).  Then all you would need to do is be sure your DHCP pool is set to update DNS.

Author Comment

ID: 21849228
I am using a site-to-site PPTP VPN connection between Windows 2003 Domain Controllers that are members of the same domain. I am doing this via windows routing and remote access.

IP addresses are static on both (since both DCs host DNS servers) and IP address to the VPN client DC is assigned dynamically from an address pool.

The problem is that when it connects it replicates DNS information including all the IP addresses assigned to the client DC.

Then when I try to ping the client by host name it returns the primary IP address of that machine which is on the wrong subnet. I can see that it does indeed register the dynamically assigned address but chooses to ignore it.

If I could somehow force it to use the IP assigned by the VPN server on the VPN server I would be set and all my troubles would go away.

I hesitate using anything like a host file as the IP does change and obvioulsy that would cause a real problem.

Hopefully this provides more information.
LVL 14

Assisted Solution

mds-cos earned 100 total points
ID: 21849454
OK, got it.  

Let's approach this problem from a different perspective.  A PPTP VPN tunnel is generally used so that client computers can connect remotely to your network (without having to get any client software or jump through any configuration hoops).  An IPSEC VPN tunnel, on the other hand, is almost always the right chocie for a site-to-site VPN (not to mention IPSEC is more secure than PPTP).

I think your best approach to this problem would be to set up an IPSEC tunnel between the servers in place of the PPTP tunnel.  This will not only resolve your DNS issue, but will also put you into more of a "best practices" situation that should better serve down the road.

I also have to point out that running site-to-site VPN through a good firewall will probably save you some grief down the line.  I have yet to see a RRAS server *not* develop problems at some point during it's life.  You will most likely end up spending more in support and troubleshooting of RRAS than you will initially spend investing in a couple quality firewalls.

If you don't like either of these approaches, here is one way that you can force DNS to behave as you want to (but I do not recommend this except as a lab excercise, since it may break some inter-site functionality depending on what else you have going on).  Set up your DNS zones as standard primary zones rather than AD integrated.  Now hard-code the "correct" IP address of each server into the DNS zone.  Do not turn on replication of these zones.  Now the servers will not pass "wrong" addresses to each other.

Author Comment

ID: 21849515
Well converting over to IPSec might be something I do but for right now PPTP is working ok.

I can't use static addresses as there is no way to assign an address statically when connecting via a VPN connection. The address has to come from an address pool of some sorts.

I just made some changes, most notably, I made the VPN server listen only to the now WAN IP addresses.

Now it seems to be working correctly.

Hopefully it will last.

Accepted Solution

skione earned 0 total points
ID: 21849536

Featured Post

Does Your Cloud Backup Use Blockchain Technology?

Blockchain technology has already revolutionized finance thanks to Bitcoin. Now it's disrupting other areas, including the realm of data protection. Learn how blockchain is now being used to authenticate backup files and keep them safe from hackers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question