VPN and DNS issues

02-19-2008, 02:51 PM

VPN and DNS issues

My appologies if I am posting to the incorrect group, if I am please let me
know and I will repost to a more appropriate group.

We have a Microsoft VPN server that has been connected to a T1 for many
years now. Just recently it was switched to a new fiber connection from a
local ISP. After we switched the connection on the T1 we have been having
name resolution issues for our VPN clients. We have a 2003 Exchange server
that is accesible via the web and our internal network. When a VPN client
pings the Exchange server WHILE connected to the VPN it returns the public IP
instead of the private. No other changes have been made other than switching
the VPN server to the new ISP and updating the public DNS records for the VPN
connection. Currently the VPN server is running Windows Server 2003 SP1.

Example:
pinging s3.mydomain.net while connected to the VPN returns 65.x.x.x instead
of the correct 172.x.x.x internal address.

If a client sets their DNS servers to either the T1 or Fiber connections
default DNS servers, then the proper address is returned. However, for most
other clients, myself included, when using a default IP of the local
CABLE/DSL router it wants to return the public IP address.

A bit more info that may or may not be useful (I have replaced the actual
domain name with "mydomain"):
Current public dns records for our exchange server and VPN:
s3.mydomain.net CNAME to host155.mydomain.com resolves to Exchange server
public IP.
v1.mydomain.net CNAME to host7.mydomain.com resolves to VPN server public ip
address.

a reverse lookup of the exchange server public ip address returns
host155.mydomain.com
a reverse lookup of the VPN server public ip address returns
host7.mydomain.com.

mydomain.net is also our internal active directory name and we are using
split brain DNS.

We do not host our own public DNS servers.

No one is using vpn split tunneling.

the new ISP is a wide open connection that allows all traffic to pass with
no firewalls or filters between us and them.

If any further information is needed or anyone has any ideas for further
tests to run please feel free to ask.

Thank you!

Curtis

02-19-2008, 11:09 PM

Robert L. \(MS-MVP\)

Guest

Posts: n/a

Re: VPN and DNS issues

First of all, you should have your internal DNS in the VPN server and the
VPN server assign the DNS to the client. Another option is setup WINS for
name resolution. It is better to have WINS for VPN name resolution. If both
internal DNS and WINS are not options for you, you can try mlhosts. I would
not use my ISP host my A records. Or the following search results may help.

Name resolution on VPN
Name resolution is big issue in VPN access. If your VPN server doesn't
setup correctly or the VPN client can't receive the VPN DNS and WINS
settings, ...
www.chicagotech.net/nameresolutionpnvpn.htm - Similar pages

VPN name resolution and browsing
Q: VPN name resolution and browsing. After I successfully connect to
the VPN Server remotely, I cannot browse the network, and see other
computers and ...
www.chicagotech.net/Q&A/vpn1.htm

--
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com

"Curtis" <(E-Mail Removed)> wrote in message
news:874028A1-6487-4982-845B-(E-Mail Removed)...
> My appologies if I am posting to the incorrect group, if I am please let
> me
> know and I will repost to a more appropriate group.
>
> We have a Microsoft VPN server that has been connected to a T1 for many
> years now. Just recently it was switched to a new fiber connection from a
> local ISP. After we switched the connection on the T1 we have been having
> name resolution issues for our VPN clients. We have a 2003 Exchange server
> that is accesible via the web and our internal network. When a VPN client
> pings the Exchange server WHILE connected to the VPN it returns the public
> IP
> instead of the private. No other changes have been made other than
> switching
> the VPN server to the new ISP and updating the public DNS records for the
> VPN
> connection. Currently the VPN server is running Windows Server 2003 SP1.
>
> Example:
> pinging s3.mydomain.net while connected to the VPN returns 65.x.x.x
> instead
> of the correct 172.x.x.x internal address.
>
> If a client sets their DNS servers to either the T1 or Fiber connections
> default DNS servers, then the proper address is returned. However, for
> most
> other clients, myself included, when using a default IP of the local
> CABLE/DSL router it wants to return the public IP address.
>
> A bit more info that may or may not be useful (I have replaced the actual
> domain name with "mydomain"):
> Current public dns records for our exchange server and VPN:
> s3.mydomain.net CNAME to host155.mydomain.com resolves to Exchange server
> public IP.
> v1.mydomain.net CNAME to host7.mydomain.com resolves to VPN server public
> ip
> address.
>
> a reverse lookup of the exchange server public ip address returns
> host155.mydomain.com
> a reverse lookup of the VPN server public ip address returns
> host7.mydomain.com.
>
> mydomain.net is also our internal active directory name and we are using
> split brain DNS.
>
> We do not host our own public DNS servers.
>
> No one is using vpn split tunneling.
>
> the new ISP is a wide open connection that allows all traffic to pass with
> no firewalls or filters between us and them.
>
> If any further information is needed or anyone has any ideas for further
> tests to run please feel free to ask.
>
> Thank you!

02-20-2008, 01:54 PM

Curtis

Guest

Posts: n/a

Re: VPN and DNS issues

We do assign our internal DNS servers to the VPN clients. Thats the werid
thing. If you do an ipconfig /all while connected to the VPN the vpn
connection shows it using both of our internal DNS servers. But when you try
to access the resources it wants to use the public DNS records.

What I was saying about changing the clients DNS server was when connected
to the VPN, which is assigning our internal DNS servers to the connection, if
you change the clients dns on their connection (LAN card, router etc) to one
of our ISP dns servers everything resolves correctly. If they use the default
DNS servers on their connection, while connected to the VPN, they get the
public records.

Not sure if that helped or made it more confusing.

In the mean time I will look at those links.

Thanks!

"Robert L. (MS-MVP)" wrote:

> First of all, you should have your internal DNS in the VPN server and the
> VPN server assign the DNS to the client. Another option is setup WINS for
> name resolution. It is better to have WINS for VPN name resolution. If both
> internal DNS and WINS are not options for you, you can try mlhosts. I would
> not use my ISP host my A records. Or the following search results may help.
>
> Name resolution on VPN
> Name resolution is big issue in VPN access. If your VPN server doesn't
> setup correctly or the VPN client can't receive the VPN DNS and WINS
> settings, ...
> www.chicagotech.net/nameresolutionpnvpn.htm - Similar pages
>
> VPN name resolution and browsing
> Q: VPN name resolution and browsing. After I successfully connect to
> the VPN Server remotely, I cannot browse the network, and see other
> computers and ...
> www.chicagotech.net/Q&A/vpn1.htm
>
>
> --
> Bob Lin, MS-MVP, MCSE & CNE
> Networking, Internet, Routing, VPN Troubleshooting on
> http://www.ChicagoTech.net
> How to Setup Windows, Network, VPN & Remote Access on
> http://www.HowToNetworking.com
>
>
> "Curtis" <(E-Mail Removed)> wrote in message
> news:874028A1-6487-4982-845B-(E-Mail Removed)...
> > My appologies if I am posting to the incorrect group, if I am please let
> > me
> > know and I will repost to a more appropriate group.
> >
> > We have a Microsoft VPN server that has been connected to a T1 for many
> > years now. Just recently it was switched to a new fiber connection from a
> > local ISP. After we switched the connection on the T1 we have been having
> > name resolution issues for our VPN clients. We have a 2003 Exchange server
> > that is accesible via the web and our internal network. When a VPN client
> > pings the Exchange server WHILE connected to the VPN it returns the public
> > IP
> > instead of the private. No other changes have been made other than
> > switching
> > the VPN server to the new ISP and updating the public DNS records for the
> > VPN
> > connection. Currently the VPN server is running Windows Server 2003 SP1.
> >
> > Example:
> > pinging s3.mydomain.net while connected to the VPN returns 65.x.x.x
> > instead
> > of the correct 172.x.x.x internal address.
> >
> > If a client sets their DNS servers to either the T1 or Fiber connections
> > default DNS servers, then the proper address is returned. However, for
> > most
> > other clients, myself included, when using a default IP of the local
> > CABLE/DSL router it wants to return the public IP address.
> >
> > A bit more info that may or may not be useful (I have replaced the actual
> > domain name with "mydomain"):
> > Current public dns records for our exchange server and VPN:
> > s3.mydomain.net CNAME to host155.mydomain.com resolves to Exchange server
> > public IP.
> > v1.mydomain.net CNAME to host7.mydomain.com resolves to VPN server public
> > ip
> > address.
> >
> > a reverse lookup of the exchange server public ip address returns
> > host155.mydomain.com
> > a reverse lookup of the VPN server public ip address returns
> > host7.mydomain.com.
> >
> > mydomain.net is also our internal active directory name and we are using
> > split brain DNS.
> >
> > We do not host our own public DNS servers.
> >
> > No one is using vpn split tunneling.
> >
> > the new ISP is a wide open connection that allows all traffic to pass with
> > no firewalls or filters between us and them.
> >
> > If any further information is needed or anyone has any ideas for further
> > tests to run please feel free to ask.
> >
> > Thank you!
>
>

02-20-2008, 02:33 PM

Robert L. \(MS-MVP\)

Guest

Posts: n/a

Re: VPN and DNS issues

As said, it is better to use WINS for VPN name resolution.

--
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com

"Curtis" <(E-Mail Removed)> wrote in message
news

3B41985-0D9E-40AF-B957-(E-Mail Removed)...
> We do assign our internal DNS servers to the VPN clients. Thats the werid
> thing. If you do an ipconfig /all while connected to the VPN the vpn
> connection shows it using both of our internal DNS servers. But when you
> try
> to access the resources it wants to use the public DNS records.
>
> What I was saying about changing the clients DNS server was when connected
> to the VPN, which is assigning our internal DNS servers to the connection,
> if
> you change the clients dns on their connection (LAN card, router etc) to
> one
> of our ISP dns servers everything resolves correctly. If they use the
> default
> DNS servers on their connection, while connected to the VPN, they get the
> public records.
>
> Not sure if that helped or made it more confusing.
>
> In the mean time I will look at those links.
>
> Thanks!
>
> "Robert L. (MS-MVP)" wrote:
>
>> First of all, you should have your internal DNS in the VPN server and the
>> VPN server assign the DNS to the client. Another option is setup WINS for
>> name resolution. It is better to have WINS for VPN name resolution. If
>> both
>> internal DNS and WINS are not options for you, you can try mlhosts. I
>> would
>> not use my ISP host my A records. Or the following search results may
>> help.
>>
>> Name resolution on VPN
>> Name resolution is big issue in VPN access. If your VPN server
>> doesn't
>> setup correctly or the VPN client can't receive the VPN DNS and WINS
>> settings, ...
>> www.chicagotech.net/nameresolutionpnvpn.htm - Similar pages
>>
>> VPN name resolution and browsing
>> Q: VPN name resolution and browsing. After I successfully connect
>> to
>> the VPN Server remotely, I cannot browse the network, and see other
>> computers and ...
>> www.chicagotech.net/Q&A/vpn1.htm
>>
>>
>> --
>> Bob Lin, MS-MVP, MCSE & CNE
>> Networking, Internet, Routing, VPN Troubleshooting on
>> http://www.ChicagoTech.net
>> How to Setup Windows, Network, VPN & Remote Access on
>> http://www.HowToNetworking.com
>>
>>
>> "Curtis" <(E-Mail Removed)> wrote in message
>> news:874028A1-6487-4982-845B-(E-Mail Removed)...
>> > My appologies if I am posting to the incorrect group, if I am please
>> > let
>> > me
>> > know and I will repost to a more appropriate group.
>> >
>> > We have a Microsoft VPN server that has been connected to a T1 for many
>> > years now. Just recently it was switched to a new fiber connection from
>> > a
>> > local ISP. After we switched the connection on the T1 we have been
>> > having
>> > name resolution issues for our VPN clients. We have a 2003 Exchange
>> > server
>> > that is accesible via the web and our internal network. When a VPN
>> > client
>> > pings the Exchange server WHILE connected to the VPN it returns the
>> > public
>> > IP
>> > instead of the private. No other changes have been made other than
>> > switching
>> > the VPN server to the new ISP and updating the public DNS records for
>> > the
>> > VPN
>> > connection. Currently the VPN server is running Windows Server 2003
>> > SP1.
>> >
>> > Example:
>> > pinging s3.mydomain.net while connected to the VPN returns 65.x.x.x
>> > instead
>> > of the correct 172.x.x.x internal address.
>> >
>> > If a client sets their DNS servers to either the T1 or Fiber
>> > connections
>> > default DNS servers, then the proper address is returned. However, for
>> > most
>> > other clients, myself included, when using a default IP of the local
>> > CABLE/DSL router it wants to return the public IP address.
>> >
>> > A bit more info that may or may not be useful (I have replaced the
>> > actual
>> > domain name with "mydomain"):
>> > Current public dns records for our exchange server and VPN:
>> > s3.mydomain.net CNAME to host155.mydomain.com resolves to Exchange
>> > server
>> > public IP.
>> > v1.mydomain.net CNAME to host7.mydomain.com resolves to VPN server
>> > public
>> > ip
>> > address.
>> >
>> > a reverse lookup of the exchange server public ip address returns
>> > host155.mydomain.com
>> > a reverse lookup of the VPN server public ip address returns
>> > host7.mydomain.com.
>> >
>> > mydomain.net is also our internal active directory name and we are
>> > using
>> > split brain DNS.
>> >
>> > We do not host our own public DNS servers.
>> >
>> > No one is using vpn split tunneling.
>> >
>> > the new ISP is a wide open connection that allows all traffic to pass
>> > with
>> > no firewalls or filters between us and them.
>> >
>> > If any further information is needed or anyone has any ideas for
>> > further
>> > tests to run please feel free to ask.
>> >
>> > Thank you!
>>
>>

02-20-2008, 02:59 PM

Curtis

Guest

Posts: n/a

Re: VPN and DNS issues

I understand, however, this setup has been working for years now and it just
stopped when we switched ISPs. I was really hoping to resolve the issue
without major infrastructure changes.

"Robert L. (MS-MVP)" wrote:

> As said, it is better to use WINS for VPN name resolution.
>
> --
> Bob Lin, MS-MVP, MCSE & CNE
> Networking, Internet, Routing, VPN Troubleshooting on
> http://www.ChicagoTech.net
> How to Setup Windows, Network, VPN & Remote Access on
> http://www.HowToNetworking.com
>
>
> "Curtis" <(E-Mail Removed)> wrote in message
> news

3B41985-0D9E-40AF-B957-(E-Mail Removed)...
> > We do assign our internal DNS servers to the VPN clients. Thats the werid
> > thing. If you do an ipconfig /all while connected to the VPN the vpn
> > connection shows it using both of our internal DNS servers. But when you
> > try
> > to access the resources it wants to use the public DNS records.
> >
> > What I was saying about changing the clients DNS server was when connected
> > to the VPN, which is assigning our internal DNS servers to the connection,
> > if
> > you change the clients dns on their connection (LAN card, router etc) to
> > one
> > of our ISP dns servers everything resolves correctly. If they use the
> > default
> > DNS servers on their connection, while connected to the VPN, they get the
> > public records.
> >
> > Not sure if that helped or made it more confusing.
> >
> > In the mean time I will look at those links.
> >
> > Thanks!
> >
> > "Robert L. (MS-MVP)" wrote:
> >
> >> First of all, you should have your internal DNS in the VPN server and the
> >> VPN server assign the DNS to the client. Another option is setup WINS for
> >> name resolution. It is better to have WINS for VPN name resolution. If
> >> both
> >> internal DNS and WINS are not options for you, you can try mlhosts. I
> >> would
> >> not use my ISP host my A records. Or the following search results may
> >> help.
> >>
> >> Name resolution on VPN
> >> Name resolution is big issue in VPN access. If your VPN server
> >> doesn't
> >> setup correctly or the VPN client can't receive the VPN DNS and WINS
> >> settings, ...
> >> www.chicagotech.net/nameresolutionpnvpn.htm - Similar pages
> >>
> >> VPN name resolution and browsing
> >> Q: VPN name resolution and browsing. After I successfully connect
> >> to
> >> the VPN Server remotely, I cannot browse the network, and see other
> >> computers and ...
> >> www.chicagotech.net/Q&A/vpn1.htm
> >>
> >>
> >> --
> >> Bob Lin, MS-MVP, MCSE & CNE
> >> Networking, Internet, Routing, VPN Troubleshooting on
> >> http://www.ChicagoTech.net
> >> How to Setup Windows, Network, VPN & Remote Access on
> >> http://www.HowToNetworking.com
> >>
> >>
> >> "Curtis" <(E-Mail Removed)> wrote in message
> >> news:874028A1-6487-4982-845B-(E-Mail Removed)...
> >> > My appologies if I am posting to the incorrect group, if I am please
> >> > let
> >> > me
> >> > know and I will repost to a more appropriate group.
> >> >
> >> > We have a Microsoft VPN server that has been connected to a T1 for many
> >> > years now. Just recently it was switched to a new fiber connection from
> >> > a
> >> > local ISP. After we switched the connection on the T1 we have been
> >> > having
> >> > name resolution issues for our VPN clients. We have a 2003 Exchange
> >> > server
> >> > that is accesible via the web and our internal network. When a VPN
> >> > client
> >> > pings the Exchange server WHILE connected to the VPN it returns the
> >> > public
> >> > IP
> >> > instead of the private. No other changes have been made other than
> >> > switching
> >> > the VPN server to the new ISP and updating the public DNS records for
> >> > the
> >> > VPN
> >> > connection. Currently the VPN server is running Windows Server 2003
> >> > SP1.
> >> >
> >> > Example:
> >> > pinging s3.mydomain.net while connected to the VPN returns 65.x.x.x
> >> > instead
> >> > of the correct 172.x.x.x internal address.
> >> >
> >> > If a client sets their DNS servers to either the T1 or Fiber
> >> > connections
> >> > default DNS servers, then the proper address is returned. However, for
> >> > most
> >> > other clients, myself included, when using a default IP of the local
> >> > CABLE/DSL router it wants to return the public IP address.
> >> >
> >> > A bit more info that may or may not be useful (I have replaced the
> >> > actual
> >> > domain name with "mydomain"):
> >> > Current public dns records for our exchange server and VPN:
> >> > s3.mydomain.net CNAME to host155.mydomain.com resolves to Exchange
> >> > server
> >> > public IP.
> >> > v1.mydomain.net CNAME to host7.mydomain.com resolves to VPN server
> >> > public
> >> > ip
> >> > address.
> >> >
> >> > a reverse lookup of the exchange server public ip address returns
> >> > host155.mydomain.com
> >> > a reverse lookup of the VPN server public ip address returns
> >> > host7.mydomain.com.
> >> >
> >> > mydomain.net is also our internal active directory name and we are
> >> > using
> >> > split brain DNS.
> >> >
> >> > We do not host our own public DNS servers.
> >> >
> >> > No one is using vpn split tunneling.
> >> >
> >> > the new ISP is a wide open connection that allows all traffic to pass
> >> > with
> >> > no firewalls or filters between us and them.
> >> >
> >> > If any further information is needed or anyone has any ideas for
> >> > further
> >> > tests to run please feel free to ask.
> >> >
> >> > Thank you!
> >>
> >>
>
>

02-20-2008, 07:15 PM

Robert L. \(MS-MVP\)

Guest

Posts: n/a

Re: VPN and DNS issues

On VPN client, get the result of ipconfig /all and nslookup.post back here.

--
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com

"Curtis" <(E-Mail Removed)> wrote in message
news:36A1B017-E10F-44EB-AA45-(E-Mail Removed)...
>I understand, however, this setup has been working for years now and it
>just
> stopped when we switched ISPs. I was really hoping to resolve the issue
> without major infrastructure changes.
>
> "Robert L. (MS-MVP)" wrote:
>
>> As said, it is better to use WINS for VPN name resolution.
>>
>> --
>> Bob Lin, MS-MVP, MCSE & CNE
>> Networking, Internet, Routing, VPN Troubleshooting on
>> http://www.ChicagoTech.net
>> How to Setup Windows, Network, VPN & Remote Access on
>> http://www.HowToNetworking.com
>>
>>
>> "Curtis" <(E-Mail Removed)> wrote in message
>> news

3B41985-0D9E-40AF-B957-(E-Mail Removed)...
>> > We do assign our internal DNS servers to the VPN clients. Thats the
>> > werid
>> > thing. If you do an ipconfig /all while connected to the VPN the vpn
>> > connection shows it using both of our internal DNS servers. But when
>> > you
>> > try
>> > to access the resources it wants to use the public DNS records.
>> >
>> > What I was saying about changing the clients DNS server was when
>> > connected
>> > to the VPN, which is assigning our internal DNS servers to the
>> > connection,
>> > if
>> > you change the clients dns on their connection (LAN card, router etc)
>> > to
>> > one
>> > of our ISP dns servers everything resolves correctly. If they use the
>> > default
>> > DNS servers on their connection, while connected to the VPN, they get
>> > the
>> > public records.
>> >
>> > Not sure if that helped or made it more confusing.
>> >
>> > In the mean time I will look at those links.
>> >
>> > Thanks!
>> >
>> > "Robert L. (MS-MVP)" wrote:
>> >
>> >> First of all, you should have your internal DNS in the VPN server and
>> >> the
>> >> VPN server assign the DNS to the client. Another option is setup WINS
>> >> for
>> >> name resolution. It is better to have WINS for VPN name resolution. If
>> >> both
>> >> internal DNS and WINS are not options for you, you can try mlhosts. I
>> >> would
>> >> not use my ISP host my A records. Or the following search results may
>> >> help.
>> >>
>> >> Name resolution on VPN
>> >> Name resolution is big issue in VPN access. If your VPN server
>> >> doesn't
>> >> setup correctly or the VPN client can't receive the VPN DNS and WINS
>> >> settings, ...
>> >> www.chicagotech.net/nameresolutionpnvpn.htm - Similar pages
>> >>
>> >> VPN name resolution and browsing
>> >> Q: VPN name resolution and browsing. After I successfully
>> >> connect
>> >> to
>> >> the VPN Server remotely, I cannot browse the network, and see other
>> >> computers and ...
>> >> www.chicagotech.net/Q&A/vpn1.htm
>> >>
>> >>
>> >> --
>> >> Bob Lin, MS-MVP, MCSE & CNE
>> >> Networking, Internet, Routing, VPN Troubleshooting on
>> >> http://www.ChicagoTech.net
>> >> How to Setup Windows, Network, VPN & Remote Access on
>> >> http://www.HowToNetworking.com
>> >>
>> >>
>> >> "Curtis" <(E-Mail Removed)> wrote in message
>> >> news:874028A1-6487-4982-845B-(E-Mail Removed)...
>> >> > My appologies if I am posting to the incorrect group, if I am please
>> >> > let
>> >> > me
>> >> > know and I will repost to a more appropriate group.
>> >> >
>> >> > We have a Microsoft VPN server that has been connected to a T1 for
>> >> > many
>> >> > years now. Just recently it was switched to a new fiber connection
>> >> > from
>> >> > a
>> >> > local ISP. After we switched the connection on the T1 we have been
>> >> > having
>> >> > name resolution issues for our VPN clients. We have a 2003 Exchange
>> >> > server
>> >> > that is accesible via the web and our internal network. When a VPN
>> >> > client
>> >> > pings the Exchange server WHILE connected to the VPN it returns the
>> >> > public
>> >> > IP
>> >> > instead of the private. No other changes have been made other than
>> >> > switching
>> >> > the VPN server to the new ISP and updating the public DNS records
>> >> > for
>> >> > the
>> >> > VPN
>> >> > connection. Currently the VPN server is running Windows Server 2003
>> >> > SP1.
>> >> >
>> >> > Example:
>> >> > pinging s3.mydomain.net while connected to the VPN returns 65.x.x.x
>> >> > instead
>> >> > of the correct 172.x.x.x internal address.
>> >> >
>> >> > If a client sets their DNS servers to either the T1 or Fiber
>> >> > connections
>> >> > default DNS servers, then the proper address is returned. However,
>> >> > for
>> >> > most
>> >> > other clients, myself included, when using a default IP of the local
>> >> > CABLE/DSL router it wants to return the public IP address.
>> >> >
>> >> > A bit more info that may or may not be useful (I have replaced the
>> >> > actual
>> >> > domain name with "mydomain"):
>> >> > Current public dns records for our exchange server and VPN:
>> >> > s3.mydomain.net CNAME to host155.mydomain.com resolves to Exchange
>> >> > server
>> >> > public IP.
>> >> > v1.mydomain.net CNAME to host7.mydomain.com resolves to VPN server
>> >> > public
>> >> > ip
>> >> > address.
>> >> >
>> >> > a reverse lookup of the exchange server public ip address returns
>> >> > host155.mydomain.com
>> >> > a reverse lookup of the VPN server public ip address returns
>> >> > host7.mydomain.com.
>> >> >
>> >> > mydomain.net is also our internal active directory name and we are
>> >> > using
>> >> > split brain DNS.
>> >> >
>> >> > We do not host our own public DNS servers.
>> >> >
>> >> > No one is using vpn split tunneling.
>> >> >
>> >> > the new ISP is a wide open connection that allows all traffic to
>> >> > pass
>> >> > with
>> >> > no firewalls or filters between us and them.
>> >> >
>> >> > If any further information is needed or anyone has any ideas for
>> >> > further
>> >> > tests to run please feel free to ask.
>> >> >
>> >> > Thank you!
>> >>
>> >>
>>
>>

02-20-2008, 08:20 PM

Curtis

Guest

Posts: n/a

Re: VPN and DNS issues

Ill post the info tonight.

Thanks!

"Robert L. (MS-MVP)" wrote:

> On VPN client, get the result of ipconfig /all and nslookup.post back here.
>
> --
> Bob Lin, MS-MVP, MCSE & CNE
> Networking, Internet, Routing, VPN Troubleshooting on
> http://www.ChicagoTech.net
> How to Setup Windows, Network, VPN & Remote Access on
> http://www.HowToNetworking.com
>
>
> "Curtis" <(E-Mail Removed)> wrote in message
> news:36A1B017-E10F-44EB-AA45-(E-Mail Removed)...
> >I understand, however, this setup has been working for years now and it
> >just
> > stopped when we switched ISPs. I was really hoping to resolve the issue
> > without major infrastructure changes.
> >
> > "Robert L. (MS-MVP)" wrote:
> >
> >> As said, it is better to use WINS for VPN name resolution.
> >>
> >> --
> >> Bob Lin, MS-MVP, MCSE & CNE
> >> Networking, Internet, Routing, VPN Troubleshooting on
> >> http://www.ChicagoTech.net
> >> How to Setup Windows, Network, VPN & Remote Access on
> >> http://www.HowToNetworking.com
> >>
> >>
> >> "Curtis" <(E-Mail Removed)> wrote in message
> >> news

3B41985-0D9E-40AF-B957-(E-Mail Removed)...
> >> > We do assign our internal DNS servers to the VPN clients. Thats the
> >> > werid
> >> > thing. If you do an ipconfig /all while connected to the VPN the vpn
> >> > connection shows it using both of our internal DNS servers. But when
> >> > you
> >> > try
> >> > to access the resources it wants to use the public DNS records.
> >> >
> >> > What I was saying about changing the clients DNS server was when
> >> > connected
> >> > to the VPN, which is assigning our internal DNS servers to the
> >> > connection,
> >> > if
> >> > you change the clients dns on their connection (LAN card, router etc)
> >> > to
> >> > one
> >> > of our ISP dns servers everything resolves correctly. If they use the
> >> > default
> >> > DNS servers on their connection, while connected to the VPN, they get
> >> > the
> >> > public records.
> >> >
> >> > Not sure if that helped or made it more confusing.
> >> >
> >> > In the mean time I will look at those links.
> >> >
> >> > Thanks!
> >> >
> >> > "Robert L. (MS-MVP)" wrote:
> >> >
> >> >> First of all, you should have your internal DNS in the VPN server and
> >> >> the
> >> >> VPN server assign the DNS to the client. Another option is setup WINS
> >> >> for
> >> >> name resolution. It is better to have WINS for VPN name resolution. If
> >> >> both
> >> >> internal DNS and WINS are not options for you, you can try mlhosts. I
> >> >> would
> >> >> not use my ISP host my A records. Or the following search results may
> >> >> help.
> >> >>
> >> >> Name resolution on VPN
> >> >> Name resolution is big issue in VPN access. If your VPN server
> >> >> doesn't
> >> >> setup correctly or the VPN client can't receive the VPN DNS and WINS
> >> >> settings, ...
> >> >> www.chicagotech.net/nameresolutionpnvpn.htm - Similar pages
> >> >>
> >> >> VPN name resolution and browsing
> >> >> Q: VPN name resolution and browsing. After I successfully
> >> >> connect
> >> >> to
> >> >> the VPN Server remotely, I cannot browse the network, and see other
> >> >> computers and ...
> >> >> www.chicagotech.net/Q&A/vpn1.htm
> >> >>
> >> >>
> >> >> --
> >> >> Bob Lin, MS-MVP, MCSE & CNE
> >> >> Networking, Internet, Routing, VPN Troubleshooting on
> >> >> http://www.ChicagoTech.net
> >> >> How to Setup Windows, Network, VPN & Remote Access on
> >> >> http://www.HowToNetworking.com
> >> >>
> >> >>
> >> >> "Curtis" <(E-Mail Removed)> wrote in message
> >> >> news:874028A1-6487-4982-845B-(E-Mail Removed)...
> >> >> > My appologies if I am posting to the incorrect group, if I am please
> >> >> > let
> >> >> > me
> >> >> > know and I will repost to a more appropriate group.
> >> >> >
> >> >> > We have a Microsoft VPN server that has been connected to a T1 for
> >> >> > many
> >> >> > years now. Just recently it was switched to a new fiber connection
> >> >> > from
> >> >> > a
> >> >> > local ISP. After we switched the connection on the T1 we have been
> >> >> > having
> >> >> > name resolution issues for our VPN clients. We have a 2003 Exchange
> >> >> > server
> >> >> > that is accesible via the web and our internal network. When a VPN
> >> >> > client
> >> >> > pings the Exchange server WHILE connected to the VPN it returns the
> >> >> > public
> >> >> > IP
> >> >> > instead of the private. No other changes have been made other than
> >> >> > switching
> >> >> > the VPN server to the new ISP and updating the public DNS records
> >> >> > for
> >> >> > the
> >> >> > VPN
> >> >> > connection. Currently the VPN server is running Windows Server 2003
> >> >> > SP1.
> >> >> >
> >> >> > Example:
> >> >> > pinging s3.mydomain.net while connected to the VPN returns 65.x.x.x
> >> >> > instead
> >> >> > of the correct 172.x.x.x internal address.
> >> >> >
> >> >> > If a client sets their DNS servers to either the T1 or Fiber
> >> >> > connections
> >> >> > default DNS servers, then the proper address is returned. However,
> >> >> > for
> >> >> > most
> >> >> > other clients, myself included, when using a default IP of the local
> >> >> > CABLE/DSL router it wants to return the public IP address.
> >> >> >
> >> >> > A bit more info that may or may not be useful (I have replaced the
> >> >> > actual
> >> >> > domain name with "mydomain"):
> >> >> > Current public dns records for our exchange server and VPN:
> >> >> > s3.mydomain.net CNAME to host155.mydomain.com resolves to Exchange
> >> >> > server
> >> >> > public IP.
> >> >> > v1.mydomain.net CNAME to host7.mydomain.com resolves to VPN server
> >> >> > public
> >> >> > ip
> >> >> > address.
> >> >> >
> >> >> > a reverse lookup of the exchange server public ip address returns
> >> >> > host155.mydomain.com
> >> >> > a reverse lookup of the VPN server public ip address returns
> >> >> > host7.mydomain.com.
> >> >> >
> >> >> > mydomain.net is also our internal active directory name and we are
> >> >> > using
> >> >> > split brain DNS.
> >> >> >
> >> >> > We do not host our own public DNS servers.
> >> >> >
> >> >> > No one is using vpn split tunneling.
> >> >> >
> >> >> > the new ISP is a wide open connection that allows all traffic to
> >> >> > pass
> >> >> > with
> >> >> > no firewalls or filters between us and them.
> >> >> >
> >> >> > If any further information is needed or anyone has any ideas for
> >> >> > further
> >> >> > tests to run please feel free to ask.
> >> >> >
> >> >> > Thank you!
> >> >>
> >> >>
> >>
> >>
>
>

02-21-2008, 03:47 AM

Curtis

Guest

Posts: n/a

Re: VPN and DNS issues

Ok Im including the ipconfig /all from being connected to the VPN and an
nslookup of the server that is having the public dns returned while connected
to the VPN.

IPconfig:

Windows IP Configuration

Host Name . . . . . . . . . . . . : n0941
Primary Dns Suffix . . . . . . . : celestenet.com
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : celestenet.com
hsd1.md.comcast.net

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit
Cont
roller
Physical Address. . . . . . . . . : 00-15-C5-B3-EA-FA

Ethernet adapter Wireless Network Connection:

Connection-specific DNS Suffix . : hsd1.md.comcast.net
Description . . . . . . . . . . . : Intel(R) PRO/Wireless 3945ABG
Networ
k Connection
Physical Address. . . . . . . . . : 00-18-DE-8A-43-68
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.42.20
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.42.1
DHCP Server . . . . . . . . . . . : 192.168.42.1
DNS Servers . . . . . . . . . . . : 192.168.42.1
Lease Obtained. . . . . . . . . . : Wednesday, February 20, 2008
10:38:3
7 PM
Lease Expires . . . . . . . . . . : Thursday, February 21, 2008
10:38:37
PM

Ethernet adapter Bluetooth Network Connection:

Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Bluetooth Device (Personal Area
Netw
ork)
Physical Address. . . . . . . . . : 00-16-41-9D-F3-F5

PPP adapter Celeste with gateway:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.16.105.11
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 172.16.105.11
DNS Servers . . . . . . . . . . . : 172.16.100.11
172.16.100.1

nslookup:

Default Server: WLNinja1
Address: 192.168.42.1

> s3.celestenet.com
Server: WLNinja1
Address: 192.168.42.1

Non-authoritative answer:
Name: cicnet.celestecorp.com
Address: 65.207.3.155
Aliases: s3.celestenet.com

s3.celestecorp.com should return 172.16.100.14 when connected to the VPN.

Thanks!
Curtis

02-21-2008, 09:50 PM

Curtis

Guest

Posts: n/a

Re: VPN and DNS issues

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode