DNS issues while connected to VPN

Just curious if anyone had seen this before...

While I am at home connected to the VPN I am trying to access an
application on the internal network. In order for this application to
work - it has to DNS query an item on another domain.

We have DNS suffix search list in place - the domain it needs to query
is number 2.

Looking at a packet capture about 25% of the time the client does not
query the second DNS suffix in the search list.

To clarrify, most of the time it queries the first item, it responds
it doesn't know and the client tries the second in the search list.
Some times however it bypasses checking the DNS suffix search list and
the application fails.

Any clue why the client would ignore the DNS suffix search list?

Thanks

The DNS at work is the only one that should be associated with the VPN
connection (typically via DHCP). The work DNS then needs to use that other
DNS as a Forwarder. It can either be a Conditional Forwarder or an
Unconditional Forwarder depending on what works best in the situation.

Forget Suffixes
Forget Netbios Names
Always identify the target with the FQDN,...even if that means you have to
tweek the config within this Application you are talking about. FQDNs
eleminate the whole idea of Suffixes and will solidly identify the correct
domain,...and hence,...the correct DNS that should be "queried".


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------


<(E-Mail Removed)> wrote in message
news:35731d60-aa58-4a98-a3d1-(E-Mail Removed)...
> Just curious if anyone had seen this before...
>
> While I am at home connected to the VPN I am trying to access an
> application on the internal network. In order for this application to
> work - it has to DNS query an item on another domain.
>
> We have DNS suffix search list in place - the domain it needs to query
> is number 2.
>
> Looking at a packet capture about 25% of the time the client does not
> query the second DNS suffix in the search list.
>
> To clarrify, most of the time it queries the first item, it responds
> it doesn't know and the client tries the second in the search list.
> Some times however it bypasses checking the DNS suffix search list and
> the application fails.
>
> Any clue why the client would ignore the DNS suffix search list?
>
> Thanks

In news:35731d60-aa58-4a98-a3d1-(E-Mail Removed),
(E-Mail Removed) <(E-Mail Removed)> requesting assistance,
typed the following:
> Just curious if anyone had seen this before...
>
> While I am at home connected to the VPN I am trying to access an
> application on the internal network. In order for this application to
> work - it has to DNS query an item on another domain.
>
> We have DNS suffix search list in place - the domain it needs to query
> is number 2.
>
> Looking at a packet capture about 25% of the time the client does not
> query the second DNS suffix in the search list.
>
> To clarrify, most of the time it queries the first item, it responds
> it doesn't know and the client tries the second in the search list.
> Some times however it bypasses checking the DNS suffix search list and
> the application fails.
>
> Any clue why the client would ignore the DNS suffix search list?
>
> Thanks

I agree with Phillip. The DNS servers list in IP properties is not meant to
toggle back and forth until it finds a response. If the first one doesn't
have an answer, it becomes a NULL answer, and since the client side resolver
service received an answer, albeit not the one YOU want, it is still an
answer and will look no further.

Make sure as Phillip said, that only the company DNS is listed. Make sure
the company DNS has some way of resolving it as Phillip described with his
suggestions.


--�
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCT
Microsoft Certified Trainer

For urgent issues, you may want to contact Microsoft PSS directly.
Please check http://support.microsoft.com for regional support phone
numbers.

I am having the same problem and wanted to add one thing. I use a Cisco Pix
506e firewall device to connect to my server at work using a Cisco VPN
Client. After connecting to the firewall, if I ping my server by name, I get
no reply. If I ping it by internal IP number I get a reply. Now this is how
the client works on my Vista Machine. If I use the same Cisco VPN Client
version on my XP Pro machine, it works as it always did giving me a reply
when I ping the server by name. It seems that the DNS name resolution works
differently in Vista than in XP. XP works in this scenario, Vista doesn't.
This is currently keeping me from being able to connect to Exchange 2003 from
home among other things. Any insight that can help solve this dilemma would
be greatly appreciated!

"Ace Fekay [Microsoft Certified Trainer]" wrote:

> In news:35731d60-aa58-4a98-a3d1-(E-Mail Removed),
> (E-Mail Removed) <(E-Mail Removed)> requesting assistance,
> typed the following:
> > Just curious if anyone had seen this before...
> >
> > While I am at home connected to the VPN I am trying to access an
> > application on the internal network. In order for this application to
> > work - it has to DNS query an item on another domain.
> >
> > We have DNS suffix search list in place - the domain it needs to query
> > is number 2.
> >
> > Looking at a packet capture about 25% of the time the client does not
> > query the second DNS suffix in the search list.
> >
> > To clarrify, most of the time it queries the first item, it responds
> > it doesn't know and the client tries the second in the search list.
> > Some times however it bypasses checking the DNS suffix search list and
> > the application fails.
> >
> > Any clue why the client would ignore the DNS suffix search list?
> >
> > Thanks
>
> I agree with Phillip. The DNS servers list in IP properties is not meant to
> toggle back and forth until it finds a response. If the first one doesn't
> have an answer, it becomes a NULL answer, and since the client side resolver
> service received an answer, albeit not the one YOU want, it is still an
> answer and will look no further.
>
> Make sure as Phillip said, that only the company DNS is listed. Make sure
> the company DNS has some way of resolving it as Phillip described with his
> suggestions.
>
>
> --�
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCT
> Microsoft Certified Trainer
>
> For urgent issues, you may want to contact Microsoft PSS directly.
> Please check http://support.microsoft.com for regional support phone
> numbers.
>
>

In news:2280F6D5-C7D1-45EB-A661-(E-Mail Removed),
Mark Saxton <Mark (E-Mail Removed)> requesting assistance,
typed the following:
> I am having the same problem and wanted to add one thing. I use a
> Cisco Pix 506e firewall device to connect to my server at work using
> a Cisco VPN Client. After connecting to the firewall, if I ping my
> server by name, I get no reply. If I ping it by internal IP number I
> get a reply. Now this is how the client works on my Vista Machine. If
> I use the same Cisco VPN Client version on my XP Pro machine, it
> works as it always did giving me a reply when I ping the server by
> name. It seems that the DNS name resolution works differently in
> Vista than in XP. XP works in this scenario, Vista doesn't. This is
> currently keeping me from being able to connect to Exchange 2003 from
> home among other things. Any insight that can help solve this dilemma
> would be greatly appreciated!
>

Sorry for the late reply. Are both the Vista and XP machines getting the
same IP configuration, DNS addresses, and WINS addresses when connected via
the Cisco VPN? Can you post an ipconfig /all from both of these machines
while they are connected using the VPN, please?

Ace