DNS name resolution via PPTP VPN

Hello

I've setup the following :

Client (Vista business; 192.168.1.135/24)--(Router/gateway;
192.168.1.1/24)--ISP--Remote location(router;192.168.0.1/24)--(server2008;
VPN; 192.168.0.253/24)--(XP client machine; "HOSTNAME" 192.168.0.102)

I connect to remote location via VPN. There is no DNS server set up on
server 2008.
Both locations use DNS on that location's hardware router (192.168.1.1 and
192.168.0.1)

The question is: what has to be done to be able to ping machines on remote
location by name.
If i use nslookup and then set it to use dns server of remote location it
resolves the name.
I suppose if i setup some dns server on my location 192.168.0.0 with
forwarder to dns server on another location 192.168.1.0 the name resolution
would work.
Can i do it without setting the local dns server and just by playing with
network interface's and VPN interface's settings. The goal is to resolve
names in both subnets.

My theory is that my local DNS is being used upon request and dns query is
never passed onto vpn connection's dns.

Any guidance is appreciated

Can you ping the remote location by IP Address?

How are the dns servers set up? It doesn't sound like you have a
primary/secondary model. The primary dns server should be at the main
office and the remote dns server should be a secondary (slave) to the
primary. If this isn't the case the two of them aren't in sync and this is
most likely the cause.

Setting up a secondary DNS server
http://support.microsoft.com/kb/816518

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Valdas Adomaitis" <> wrote in message
news:CC5EED82-7603-4787-B85C-...
> Hello
>
> I've setup the following :
>
> Client (Vista business; 192.168.1.135/24)--(Router/gateway;
> 192.168.1.1/24)--ISP--Remote location(router;192.168.0.1/24)--(server2008;
> VPN; 192.168.0.253/24)--(XP client machine; "HOSTNAME" 192.168.0.102)
>
> I connect to remote location via VPN. There is no DNS server set up on
> server 2008.
> Both locations use DNS on that location's hardware router (192.168.1.1 and
> 192.168.0.1)
>
> The question is: what has to be done to be able to ping machines on remote
> location by name.
> If i use nslookup and then set it to use dns server of remote location it
> resolves the name.
> I suppose if i setup some dns server on my location 192.168.0.0 with
> forwarder to dns server on another location 192.168.1.0 the name
> resolution
> would work.
> Can i do it without setting the local dns server and just by playing with
> network interface's and VPN interface's settings. The goal is to resolve
> names in both subnets.
>
> My theory is that my local DNS is being used upon request and dns query is
> never passed onto vpn connection's dns.
>
> Any guidance is appreciated
>
>

It's been some since I asked this question and then got caught in some work..
Thank you for your answer.

That was not exactly what i meant. You were talking about setting DNS on MS
servers.
I didn't have any DNS infrastructure except 2 SOHO hardware (linksys)
routers acting as (i suppose) caching only dns servers on respective subnets.
When i connect through VPN to remote location (VPN is set up on win 2008 on
192.168.0.0) I get an IP address in remote location (connecting from
192.168.1.0 subnet i get 192.168.0.x address on remote subnet). I can ping
every machine by IP address in 192.168.0.0 subnet, however i cannot ping them
by name.
The remote location's router responds with a name if i explicitly ask
nslookup to use remote router as dns, however i don't get a response if i
just ping it by name. I suppose my query gets lost
I was thinking of adding remote router's ip address in VPN connection DNS
tab on client computer, but as i recall it didn't solve the problem.

I will expriment with configuration on weekend and post if i find a solution

"Paul Bergson [MVP-DS]" wrote:

> Can you ping the remote location by IP Address?
>
> How are the dns servers set up? It doesn't sound like you have a
> primary/secondary model. The primary dns server should be at the main
> office and the remote dns server should be a secondary (slave) to the
> primary. If this isn't the case the two of them aren't in sync and this is
> most likely the cause.
>
> Setting up a secondary DNS server
> http://support.microsoft.com/kb/816518
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Valdas Adomaitis" <> wrote in message
> news:CC5EED82-7603-4787-B85C-...
> > Hello
> >
> > I've setup the following :
> >
> > Client (Vista business; 192.168.1.135/24)--(Router/gateway;
> > 192.168.1.1/24)--ISP--Remote location(router;192.168.0.1/24)--(server2008;
> > VPN; 192.168.0.253/24)--(XP client machine; "HOSTNAME" 192.168.0.102)
> >
> > I connect to remote location via VPN. There is no DNS server set up on
> > server 2008.
> > Both locations use DNS on that location's hardware router (192.168.1.1 and
> > 192.168.0.1)
> >
> > The question is: what has to be done to be able to ping machines on remote
> > location by name.
> > If i use nslookup and then set it to use dns server of remote location it
> > resolves the name.
> > I suppose if i setup some dns server on my location 192.168.0.0 with
> > forwarder to dns server on another location 192.168.1.0 the name
> > resolution
> > would work.
> > Can i do it without setting the local dns server and just by playing with
> > network interface's and VPN interface's settings. The goal is to resolve
> > names in both subnets.
> >
> > My theory is that my local DNS is being used upon request and dns query is
> > never passed onto vpn connection's dns.
> >
> > Any guidance is appreciated
> >
> >
>
>
> .
>

"Valdas Adomaitis" <> wrote in message
news:907DE6FB-3428-4543-AF05-...
> It's been some since I asked this question and then got caught in some
> work..
> Thank you for your answer.
>
> That was not exactly what i meant. You were talking about setting DNS on
> MS
> servers.
> I didn't have any DNS infrastructure except 2 SOHO hardware (linksys)
> routers acting as (i suppose) caching only dns servers on respective
> subnets.
> When i connect through VPN to remote location (VPN is set up on win 2008
> on
> 192.168.0.0) I get an IP address in remote location (connecting from
> 192.168.1.0 subnet i get 192.168.0.x address on remote subnet). I can ping
> every machine by IP address in 192.168.0.0 subnet, however i cannot ping
> them
> by name.
> The remote location's router responds with a name if i explicitly ask
> nslookup to use remote router as dns, however i don't get a response if i
> just ping it by name. I suppose my query gets lost
> I was thinking of adding remote router's ip address in VPN connection DNS
> tab on client computer, but as i recall it didn't solve the problem.
>
> I will expriment with configuration on weekend and post if i find a
> solution


Even if you "add" the DNS address, it will not work as you expect. DNS
doesn't search each DNS IP address entry in the ipconfig, rather it asks the
first one, and if it responds, whether right or wrong, it will not look
further. The only time it goes to the next in the list if there is a NULL
response (if the first one doesn't respond at all such as if it were down).
You will need to setup secondaries so any DNS entry listed has a reference
to all records in the infrastructure.


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

"Ace Fekay [MCT]" <> wrote in message
news:...
> "Valdas Adomaitis" <> wrote in message
> news:907DE6FB-3428-4543-AF05-...
>> It's been some since I asked this question and then got caught in some
>> work..
>> Thank you for your answer.
>>
>> That was not exactly what i meant. You were talking about setting DNS on
>> MS
>> servers.
>> I didn't have any DNS infrastructure except 2 SOHO hardware (linksys)
>> routers acting as (i suppose) caching only dns servers on respective
>> subnets.
>> When i connect through VPN to remote location (VPN is set up on win 2008
>> on
>> 192.168.0.0) I get an IP address in remote location (connecting from
>> 192.168.1.0 subnet i get 192.168.0.x address on remote subnet). I can
>> ping
>> every machine by IP address in 192.168.0.0 subnet, however i cannot ping
>> them
>> by name.
>> The remote location's router responds with a name if i explicitly ask
>> nslookup to use remote router as dns, however i don't get a response if i
>> just ping it by name. I suppose my query gets lost
>> I was thinking of adding remote router's ip address in VPN connection DNS
>> tab on client computer, but as i recall it didn't solve the problem.
>>
>> I will expriment with configuration on weekend and post if i find a
>> solution
>
>
> Even if you "add" the DNS address, it will not work as you expect. DNS
> doesn't search each DNS IP address entry in the ipconfig, rather it asks
> the first one, and if it responds, whether right or wrong, it will not
> look further. The only time it goes to the next in the list if there is a
> NULL response (if the first one doesn't respond at all such as if it were
> down). You will need to setup secondaries so any DNS entry listed has a
> reference to all records in the infrastructure.
>

I meant to say the client's local client-side resolver service is what does
the query, and what I mentioned above is how it works. DNS just answers or
it doesn't.

Ace

I agree that it does not look through the list of DNS servers, but what if it
is the only DNS server in VPN connection configuration (pointing to the
remote router). Than it should resolve the remote machine's names, shouldn't
it?
I think that it should use the connection's DNS settings (VPN's in this
case) and not the Local area connection's
I also understand that is not the correct configuration in production
environment

"Ace Fekay [MCT]" wrote:

> "Ace Fekay [MCT]" <> wrote in message
> news:...
> > "Valdas Adomaitis" <> wrote in message
> > news:907DE6FB-3428-4543-AF05-...
> >> It's been some since I asked this question and then got caught in some
> >> work..
> >> Thank you for your answer.
> >>
> >> That was not exactly what i meant. You were talking about setting DNS on
> >> MS
> >> servers.
> >> I didn't have any DNS infrastructure except 2 SOHO hardware (linksys)
> >> routers acting as (i suppose) caching only dns servers on respective
> >> subnets.
> >> When i connect through VPN to remote location (VPN is set up on win 2008
> >> on
> >> 192.168.0.0) I get an IP address in remote location (connecting from
> >> 192.168.1.0 subnet i get 192.168.0.x address on remote subnet). I can
> >> ping
> >> every machine by IP address in 192.168.0.0 subnet, however i cannot ping
> >> them
> >> by name.
> >> The remote location's router responds with a name if i explicitly ask
> >> nslookup to use remote router as dns, however i don't get a response if i
> >> just ping it by name. I suppose my query gets lost
> >> I was thinking of adding remote router's ip address in VPN connection DNS
> >> tab on client computer, but as i recall it didn't solve the problem.
> >>
> >> I will expriment with configuration on weekend and post if i find a
> >> solution
> >
> >
> > Even if you "add" the DNS address, it will not work as you expect. DNS
> > doesn't search each DNS IP address entry in the ipconfig, rather it asks
> > the first one, and if it responds, whether right or wrong, it will not
> > look further. The only time it goes to the next in the list if there is a
> > NULL response (if the first one doesn't respond at all such as if it were
> > down). You will need to setup secondaries so any DNS entry listed has a
> > reference to all records in the infrastructure.
> >
>
> I meant to say the client's local client-side resolver service is what does
> the query, and what I mentioned above is how it works. DNS just answers or
> it doesn't.
>
> Ace
>
>
>
>
> .
>

"Valdas Adomaitis" <> wrote in message
news:39169E04-65C8-4CE5-A51F-...
>I agree that it does not look through the list of DNS servers, but what if
>it
> is the only DNS server in VPN connection configuration (pointing to the
> remote router). Than it should resolve the remote machine's names,
> shouldn't
> it?

Only if that DNS server has either a copy of the zone in it's Forward Lookup
Zones (whether primary or secondary), a Stub zone (reference to the DNS
server that hosts or has a reference to the zone), or a condtional forwarder
is set for the zone to the DNS server that does host or reference that zone.

Keep in mind, in order for the client to resolve a machine name in any of
the zones by only using a single name (such as \\machine\sharename) instead
of the FQDN (\\machine.domain.com\sharename), then that zone name must be
added to the Search Suffix, otherwise they must always use the FQDN.

If you are using WINS, then it will try the single name in the WINS database
first before devolving the query through DNS.

> I think that it should use the connection's DNS settings (VPN's in this
> case) and not the Local area connection's

It should be default. If you look in the Network Connections window,
Advanced menu item, Advanced, you can see the binding order listed. RRAS
items are by default at the top unless it was changed. Otherwise, it's
misconfigured, or in what appears your case, the DNS server provided to VPN
clients does not have a reference to the zone.

> I also understand that is not the correct configuration in production
> environment

Every network is unique, however some are challenging. If you create
secondaries of each others' zones on all DNS server, then any one of them
can resolve any of the zones in your infrastructure. This is basic DNS
design. If the DNS servers were all DCs, you can use AD integrated zones,
which means it's store in the AD database and gets replicated with the AD
replication process to all DCs. You create the zone only on one of the DCs,
and AD replication will automatically replicate the zone to all DC/DNS
servers within the zone's replication scope.

Ace

Hello again and thank you for your guidance

There are two questions left that keep bugging me

First came from your answer and my today's experiments
> Keep in mind, in order for the client to resolve a machine name in any of
> the zones by only using a single name (such as \\machine\sharename) instead
> of the FQDN (\\machine.domain.com\sharename), then that zone name must be
> added to the Search Suffix, otherwise they must always use the FQDN.

If a client machine is a stand alone workstation, not connected to domain
and it has no primary or connection specific suffix it will not query dns if
i just type a single name, will it? I must put a trailing dot in order for
resolver to even bother to issue a query?

And the second one - in your opinion is there a scenario, where a hardware
router could be used as a DNS server that way avoiding to install any other
DNS server in remote location. All the workstations would register to it on
boot anyway.

"Valdas Adomaitis" <> wrote in message
news:6FC852AF-C2BE-4A6B-8D8A-...
> Hello again and thank you for your guidance
>
> There are two questions left that keep bugging me
>
> First came from your answer and my today's experiments
>> Keep in mind, in order for the client to resolve a machine name in any of
>> the zones by only using a single name (such as \\machine\sharename)
>> instead
>> of the FQDN (\\machine.domain.com\sharename), then that zone name must be
>> added to the Search Suffix, otherwise they must always use the FQDN.
>
> If a client machine is a stand alone workstation, not connected to domain
> and it has no primary or connection specific suffix it will not query dns
> if
> i just type a single name, will it? I must put a trailing dot in order for
> resolver to even bother to issue a query?

By default, the client side resolver will treat it as a hostname query and
will send it to the DNS server in it's config as a fully qualified name.
Placing a dot (period), and if the check box is checked to use suffixes, it
will suffix the search suffix(es) to the single name making it a fully
qualified name. However, if no suffix exists, it will be unresolvable. If
using ping, it will revert to NetBIOS name. If in an AD environment and not
using WINS, DirectSMB will attempt to resolve it.

>
> And the second one - in your opinion is there a scenario, where a hardware
> router could be used as a DNS server that way avoiding to install any
> other
> DNS server in remote location.

In an AD environment? NO. In a non-AD environment, I've never heard of any
type of router being designed with DNS built in, however many of the retail
box routers will 'proxy' the query to the DNS address in its own WAN config,
which is provided as a 'cponvenience' to home owners. This is not
desireable. It creates an extra hop, is not reliable, and may not
necessarily resolve names based on EDNS0. With business and enterprise class
routers, this doesn't exist.

If you have an AD environment with remote locations, you must design the
environment so all hosts, no matter where they are, can resolve all
resources in a domain, especially AD resources.

If not using WINS, in an AD environment DirectSMB (over port 445) will be
used to resolve remote locations through Active Directory.

If the environment consists of different forests with trusts, then you must
design it with the same intentions, so everything can be resolved.

> All the workstations would register to it on
> boot anyway.

To a router? No. If the router in a non-AD environment is setup with the WAN
interface getting a DHCP address from your ISP, then the ISP's DNS server(s)
become your DNS server. ISPs do not allow dynamic DNS registration.

Why do you want to use a router for DNS, or any other services other than
being a router?

Ace

Thank you for your patience and info.

I'm preparing myself for an 70-642 exam, so I read and then experiment with
as many 'what if' as i can think of. This thread and the later post (which
you also helped me with) pretty much covers my blind spots

Cheers

"Ace Fekay [MCT]" wrote:

> "Valdas Adomaitis" <> wrote in message
> news:6FC852AF-C2BE-4A6B-8D8A-...
> > Hello again and thank you for your guidance
> >
> > There are two questions left that keep bugging me
> >
> > First came from your answer and my today's experiments
> >> Keep in mind, in order for the client to resolve a machine name in any of
> >> the zones by only using a single name (such as \\machine\sharename)
> >> instead
> >> of the FQDN (\\machine.domain.com\sharename), then that zone name must be
> >> added to the Search Suffix, otherwise they must always use the FQDN.
> >
> > If a client machine is a stand alone workstation, not connected to domain
> > and it has no primary or connection specific suffix it will not query dns
> > if
> > i just type a single name, will it? I must put a trailing dot in order for
> > resolver to even bother to issue a query?
>
> By default, the client side resolver will treat it as a hostname query and
> will send it to the DNS server in it's config as a fully qualified name.
> Placing a dot (period), and if the check box is checked to use suffixes, it
> will suffix the search suffix(es) to the single name making it a fully
> qualified name. However, if no suffix exists, it will be unresolvable. If
> using ping, it will revert to NetBIOS name. If in an AD environment and not
> using WINS, DirectSMB will attempt to resolve it.
>
> >
> > And the second one - in your opinion is there a scenario, where a hardware
> > router could be used as a DNS server that way avoiding to install any
> > other
> > DNS server in remote location.
>
> In an AD environment? NO. In a non-AD environment, I've never heard of any
> type of router being designed with DNS built in, however many of the retail
> box routers will 'proxy' the query to the DNS address in its own WAN config,
> which is provided as a 'cponvenience' to home owners. This is not
> desireable. It creates an extra hop, is not reliable, and may not
> necessarily resolve names based on EDNS0. With business and enterprise class
> routers, this doesn't exist.
>
> If you have an AD environment with remote locations, you must design the
> environment so all hosts, no matter where they are, can resolve all
> resources in a domain, especially AD resources.
>
> If not using WINS, in an AD environment DirectSMB (over port 445) will be
> used to resolve remote locations through Active Directory.
>
> If the environment consists of different forests with trusts, then you must
> design it with the same intentions, so everything can be resolved.
>
> > All the workstations would register to it on
> > boot anyway.
>
> To a router? No. If the router in a non-AD environment is setup with the WAN
> interface getting a DHCP address from your ISP, then the ISP's DNS server(s)
> become your DNS server. ISPs do not allow dynamic DNS registration.
>
> Why do you want to use a router for DNS, or any other services other than
> being a router?
>
> Ace
>
>
>
>
> .
>