Solved

DNS Fails When Connected to SSTP VPN

Posted on 2012-03-30
12
3,202 Views
Last Modified: 2012-04-08
Experts,

I am running into an issue that has cost some significant time - your help is appreciated. We're currently running an SSTP VPN connection hosted on a 2008 R2 RRAS server. A few weeks ago, at random, DNS lookups stopped working for those connected to the VPN (giving the user the impression that connecting to the VPN completely disables their network connection).

Here's the facts:

1. Users can connect to the VPN fine; once they do, they're able to ping any device on the protected network.

2. ANY DNS lookup fails when they are connected to the VPN.

3. Using NSLookup to test DNS while connected to the VPN shows their existing (public) DNS server works. Manually changing the DNS setting to a local DNS server on the protected network also works.

4. Broadcast name resolution is enabled on the RRAS server:

SSTP VPN Settings
5. Wireshark captures from the client while connected show the client attempting to broadcast for name resolution. Note: the subnet I am assigning for the SSTP VPN is 10.223.0.50-69. This client has the IP address 10.223.0.53 on the SSTP VPN, 10.223.99.100 on the LAN:

Wireshark
I'm not too sure where to go from here. Thanks so much for your help!
0
Comment
Question by:jmichaelpalermo4
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +2
12 Comments
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 37789891
Hi,


DNS settings in Microsoft DNS inherited from the VPN Server. As a rule of thumb if VPN Server con not resolve names then clients also cannot resolve. So you'd better check your VPN server first. Make sure that your VPN server could resolve names. Also you might like to check the routing and make sure that you're routing the traffic for the DNS segment traffic to the VPN interface and not the internet (through Default Gateway)

Cheers,
K.
0
 
LVL 24

Expert Comment

by:Dirk Kotte
ID: 37790206
"Broadcast name resolution" will use NetBiosNameService.
This only works for the netbios-names of local clients/servers and i think this is not gogle.com :-).
Are wins active within your LAN ?  then you should push the server-address with the connection.
If your VPN-connected clients use their own (the public) DNS server they can't found your internal servers.
Then you have to push your internal DNS-Server with the connection.
Can the client ping the DNS (and WINS) servers? (know they the route to the VPN-Client Subnet?)
0
 
LVL 2

Expert Comment

by:robdl
ID: 37790786
Under the TCP/IP4 properties of the VPN connection, you can specify DNS servers.
0
Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 37791783
You can use CMAK to create a fully customized  VPN client and specify the DNS servers there.
0
 
LVL 3

Author Comment

by:jmichaelpalermo4
ID: 37795841
Thanks for the advice all -

In testing, if I statically set the DNS server on the VPN Client, the client works okay. However, my main concern is that this was working fine before...I'm not sure why it stopped working.

KeremE - The server terminating the VPN connection is able to resolve DNS entries correctly

Dkotte - I'm not able to resolve names on the local LAN or the Internet. The client is able to ping all devices by IP address (including DNS servers) while connected to the VPN.

Robdl / Sulimanw - Hard coding the DNS server on the SSTP VPN client properties would be an alternative if I'm able to figure out a way to do it via GPO (there are many laptops in our organization). Can you advise on this?

Thanks all!
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 37795942
It seems that your firewall does not push DNS addresses with VPN connection. Since they are available via IP but not FQDN it seenms that eithr the DNS name pushed by the VPN is incorrect or it does not push at all ..

Can you launch CMD after you've logged in to VPN and run ipconfig /all to make sure that your DNS settings are properly pushed from the VPN Server.
0
 
LVL 2

Expert Comment

by:robdl
ID: 37796799
You might lso try adding a persistent 'route add' command on the RRAS server for each subnet.
0
 
LVL 3

Author Comment

by:jmichaelpalermo4
ID: 37796946
Here's the output of ipconfig /all while on the VPN:

SSTP
There's definitely no DNS assigned - why is that not coming over? RRAS only allows me to set up a local pool of addresses - I used a pool from within my central site subnet.
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 37797052
There's definitely no DNS assigned - why is that not coming over? RRAS only allows me to set up a local pool of addresses - I used a pool from within my central site subnet.

Yeah but also there are options in which you can add some resources such as DNS... Since NetBIOS is enabled it is trying to query the DNS request iver NetBIOS.. So if you add an option for DNS it would push them too.
0
 
LVL 3

Author Comment

by:jmichaelpalermo4
ID: 37797118
Where do I add an option for DNS? All I've got is the local pool IP range:

SSTP Config
0
 
LVL 3

Accepted Solution

by:
jmichaelpalermo4 earned 0 total points
ID: 37800779
Problem resolved! While Googling, I found this post:

http://social.technet.microsoft.com/Forums/en-IE/winserverNIS/thread/67200f1d-6d81-4363-8bb5-ee22df538f22

This led me to inspect the NICs on my SSTP VPN server. About three weeks ago, a new NIC had been added that connected to a completely unrelated network (not used by the SSTP VPN at all). For some reason, the RRAS service decided to use the DNS settings of this NIC for the clients (there were no DNS servers assigned). On a whim, I decided to assign a DNS server to the NIC and voila, clients are now able to resolve DNS while connected to the SSTP VPN.

Thanks for your thoughts on this guys.
0
 
LVL 3

Author Closing Comment

by:jmichaelpalermo4
ID: 37820827
I resolved this myself.
0

Featured Post

Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question