DNS name resolution via PPTP VPN

Discussion in 'DNS Server' started by Valdas Adomaitis, Oct 21, 2009.

  1. Hello

    I've setup the following :

    Client (Vista business; 192.168.1.135/24)--(Router/gateway;
    192.168.1.1/24)--ISP--Remote location(router;192.168.0.1/24)--(server2008;
    VPN; 192.168.0.253/24)--(XP client machine; "HOSTNAME" 192.168.0.102)

    I connect to remote location via VPN. There is no DNS server set up on
    server 2008.
    Both locations use DNS on that location's hardware router (192.168.1.1 and
    192.168.0.1)

    The question is: what has to be done to be able to ping machines on remote
    location by name.
    If i use nslookup and then set it to use dns server of remote location it
    resolves the name.
    I suppose if i setup some dns server on my location 192.168.0.0 with
    forwarder to dns server on another location 192.168.1.0 the name resolution
    would work.
    Can i do it without setting the local dns server and just by playing with
    network interface's and VPN interface's settings. The goal is to resolve
    names in both subnets.

    My theory is that my local DNS is being used upon request and dns query is
    never passed onto vpn connection's dns.

    Any guidance is appreciated
     
    Valdas Adomaitis, Oct 21, 2009
    #1
    1. Advertisements

  2. Can you ping the remote location by IP Address?

    How are the dns servers set up? It doesn't sound like you have a
    primary/secondary model. The primary dns server should be at the main
    office and the remote dns server should be a secondary (slave) to the
    primary. If this isn't the case the two of them aren't in sync and this is
    most likely the cause.

    Setting up a secondary DNS server
    http://support.microsoft.com/kb/816518

    --
    Paul Bergson
    MVP - Directory Services
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, 2003, 2000 (Early Achiever), NT4
    Microsoft's Thrive IT Pro of the Month - June 2009

    http://www.pbbergs.com

    Please no e-mails, any questions should be posted in the NewsGroup This
    posting is provided "AS IS" with no warranties, and confers no rights.
     
    Paul Bergson [MVP-DS], Oct 22, 2009
    #2
    1. Advertisements

  3. It's been some since I asked this question and then got caught in some work..
    Thank you for your answer.

    That was not exactly what i meant. You were talking about setting DNS on MS
    servers.
    I didn't have any DNS infrastructure except 2 SOHO hardware (linksys)
    routers acting as (i suppose) caching only dns servers on respective subnets.
    When i connect through VPN to remote location (VPN is set up on win 2008 on
    192.168.0.0) I get an IP address in remote location (connecting from
    192.168.1.0 subnet i get 192.168.0.x address on remote subnet). I can ping
    every machine by IP address in 192.168.0.0 subnet, however i cannot ping them
    by name.
    The remote location's router responds with a name if i explicitly ask
    nslookup to use remote router as dns, however i don't get a response if i
    just ping it by name. I suppose my query gets lost
    I was thinking of adding remote router's ip address in VPN connection DNS
    tab on client computer, but as i recall it didn't solve the problem.

    I will expriment with configuration on weekend and post if i find a solution
     
    Valdas Adomaitis, Nov 26, 2009
    #3

  4. Even if you "add" the DNS address, it will not work as you expect. DNS
    doesn't search each DNS IP address entry in the ipconfig, rather it asks the
    first one, and if it responds, whether right or wrong, it will not look
    further. The only time it goes to the next in the list if there is a NULL
    response (if the first one doesn't respond at all such as if it were down).
    You will need to setup secondaries so any DNS entry listed has a reference
    to all records in the infrastructure.


    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Please reply back to the newsgroup or forum for collaboration benefit among
    responding engineers, and to help others benefit from your resolution.

    Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
    2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer

    For urgent issues, please contact Microsoft PSS directly. Please check
    http://support.microsoft.com for regional support phone numbers.
     
    Ace Fekay [MCT], Nov 27, 2009
    #4
  5. I meant to say the client's local client-side resolver service is what does
    the query, and what I mentioned above is how it works. DNS just answers or
    it doesn't.

    Ace
     
    Ace Fekay [MCT], Nov 27, 2009
    #5
  6. I agree that it does not look through the list of DNS servers, but what if it
    is the only DNS server in VPN connection configuration (pointing to the
    remote router). Than it should resolve the remote machine's names, shouldn't
    it?
    I think that it should use the connection's DNS settings (VPN's in this
    case) and not the Local area connection's
    I also understand that is not the correct configuration in production
    environment
     
    Valdas Adomaitis, Nov 27, 2009
    #6
  7. Only if that DNS server has either a copy of the zone in it's Forward Lookup
    Zones (whether primary or secondary), a Stub zone (reference to the DNS
    server that hosts or has a reference to the zone), or a condtional forwarder
    is set for the zone to the DNS server that does host or reference that zone.

    Keep in mind, in order for the client to resolve a machine name in any of
    the zones by only using a single name (such as \\machine\sharename) instead
    of the FQDN (\\machine.domain.com\sharename), then that zone name must be
    added to the Search Suffix, otherwise they must always use the FQDN.

    If you are using WINS, then it will try the single name in the WINS database
    first before devolving the query through DNS.
    It should be default. If you look in the Network Connections window,
    Advanced menu item, Advanced, you can see the binding order listed. RRAS
    items are by default at the top unless it was changed. Otherwise, it's
    misconfigured, or in what appears your case, the DNS server provided to VPN
    clients does not have a reference to the zone.
    Every network is unique, however some are challenging. If you create
    secondaries of each others' zones on all DNS server, then any one of them
    can resolve any of the zones in your infrastructure. This is basic DNS
    design. If the DNS servers were all DCs, you can use AD integrated zones,
    which means it's store in the AD database and gets replicated with the AD
    replication process to all DCs. You create the zone only on one of the DCs,
    and AD replication will automatically replicate the zone to all DC/DNS
    servers within the zone's replication scope.

    Ace
     
    Ace Fekay [MCT], Nov 27, 2009
    #7
  8. Hello again and thank you for your guidance

    There are two questions left that keep bugging me

    First came from your answer and my today's experiments
    If a client machine is a stand alone workstation, not connected to domain
    and it has no primary or connection specific suffix it will not query dns if
    i just type a single name, will it? I must put a trailing dot in order for
    resolver to even bother to issue a query?

    And the second one - in your opinion is there a scenario, where a hardware
    router could be used as a DNS server that way avoiding to install any other
    DNS server in remote location. All the workstations would register to it on
    boot anyway.
     
    Valdas Adomaitis, Nov 29, 2009
    #8
  9. By default, the client side resolver will treat it as a hostname query and
    will send it to the DNS server in it's config as a fully qualified name.
    Placing a dot (period), and if the check box is checked to use suffixes, it
    will suffix the search suffix(es) to the single name making it a fully
    qualified name. However, if no suffix exists, it will be unresolvable. If
    using ping, it will revert to NetBIOS name. If in an AD environment and not
    using WINS, DirectSMB will attempt to resolve it.
    In an AD environment? NO. In a non-AD environment, I've never heard of any
    type of router being designed with DNS built in, however many of the retail
    box routers will 'proxy' the query to the DNS address in its own WAN config,
    which is provided as a 'cponvenience' to home owners. This is not
    desireable. It creates an extra hop, is not reliable, and may not
    necessarily resolve names based on EDNS0. With business and enterprise class
    routers, this doesn't exist.

    If you have an AD environment with remote locations, you must design the
    environment so all hosts, no matter where they are, can resolve all
    resources in a domain, especially AD resources.

    If not using WINS, in an AD environment DirectSMB (over port 445) will be
    used to resolve remote locations through Active Directory.

    If the environment consists of different forests with trusts, then you must
    design it with the same intentions, so everything can be resolved.
    To a router? No. If the router in a non-AD environment is setup with the WAN
    interface getting a DHCP address from your ISP, then the ISP's DNS server(s)
    become your DNS server. ISPs do not allow dynamic DNS registration.

    Why do you want to use a router for DNS, or any other services other than
    being a router?

    Ace
     
    Ace Fekay [MCT], Nov 29, 2009
    #9
  10. Thank you for your patience and info.

    I'm preparing myself for an 70-642 exam, so I read and then experiment with
    as many 'what if' as i can think of. This thread and the later post (which
    you also helped me with) pretty much covers my blind spots

    Cheers
     
    Valdas Adomaitis, Nov 29, 2009
    #10
  11. I don't remember 642 goes into it that deeply, but it is good to understand
    and prepare for anything possible.

    Good luck!

    Ace
     
    Ace Fekay [MCT], Nov 29, 2009
    #11
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.