internet connection / vpn - which dns server?

[Drew Lasko]

question. we have clients that are connecting to at&t
dial up for internet access.. when they do this they get a
public Ip and get directed to at&t's internet dns
servers.. so, if I create a vpn connection to our vpn
server from a client... there's no problem.. client
connects.. gets an ip, and the correct dns servers in
ipconfig.... but, since our internet domain-namespace is
the same as our internal, the client still resolves our
dns name to the external dns entry.... here is my
question... to make it less specific to my exact
situation...

you have a client with an internet connection.. which is
using an external dns server (public)... ok

you connect to a vpn server (vpn test1).. get an ip and
dns server 10.0.100.2

you connect to another vpn server (vpn test2) get an ip
and dns server 10.0.200.2

what tells the client which dns server to go to?? let's
say that vpn test1 was test1.com and vpn test2 was
test2.com ... for example's sake.. let's say that these 2
domains actually resolve to a public Ip address which the
external dns server can resolve... what tells the client
to go to the vpn-connection specific dns server to resolve
the name.

any help would be greatly appreciated...

ps-- someone told me that it depends the order in which
the adapters(interfaces) are listed when doing an
ipconfig... is this true..and if so, how do you change it?

 

[Ace Fekay [MVP]]

In

Ace, I am using AT&T dialup for internet access and I
moved the binding order so that the RAS connections are
first... this really didn't help.. here's why.

Say the laptop is disconnected from the network then dials
into AT&T for internet.. no problem... the machine uses
AT&T's dns servers and everything is fine.

Here is the problem. My company's internal dns namespace
and external namespace are the same.. for example: test.com

So when the machine is connected to at&t and pings say
test.com it resolves the external internet address. Say I
have vpn.test.com forwarding to my vpn server.. no
problem, the machine can resolve vpn.test.com. Now, once
then machine is connected it gets dhcp settings inlcuding
our internal dns servers and is registers the test.com
domain suffix.. now.. if I ping anything.test.com it goes
internal.. but, test.com by itself always goes external...
and now vpn.test.com resolves to the firewall. I know
that maybe we should have named our internal namespace
different the the public internet name, but is there a way
to tell win2k which RAS connection to use for DNS..
because the VPN and AT&T dialup connections are both RAS
connections... and AT&T always gets listed first.. and you
can only change the "ras connections" setting in the
binding order.. you cannot specify which exact connection
you want to use. Any ideas???

Hmm, in a case like this, I would suggest to move your LAN connection to the
top. This way if you're on the LAN, it will check with that first, if not
available, it will drop down to the dialup or VPN, whichever you want first.

If you want them to dialup to ATT, then VPN in to you, the VPN connection
would then get an IP and the configurationoptions, including DNS address
from your internal system. So it *should* override the dialup, as what VPNs
are supposed to do.

So I'm assuming you want them to get the internal DNS connection for logon
ability?

AS for the same name issue, that's a common way to setup a system. If you
need to get to your website from teh internal network, (assuming the website
is hosted externally), under your internal DNS server, create the www entry
and give it the external IP. I hope I didn't misunderstand what you're
trying to accomplish...


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Ace Fekay [MVP]]

In

Ace, I think you slightly misunderstood. This is why we
need this functionallity. We use DFS on our win2k
network. When the client is connect through dial-up and
then vpn's in they resolve our dfs root to the external
dns address rather than internal rendering dfs
inoperable. Here is an example.

Client connected to LAN
test.com --> resolves internal
so \\test.com\testshare works


Client Just connected to Dial-Up
test.com --> resolves external

Client connect to Dialup and VPN'd in
test.com --> still resolves external
so of course \\test.com\testhare won't work.

the client is taking all of the correct options and of
course is pointing at the internal dns server which it can
contact. It also is appending the DNS suffix and
registering with DNS.

I know that changing our internal DNS namespace would fix
this problem but at this point it is not an option. Do
you have any idea why this is happening or how to fix
this??? I guess what we are really dealing with is a
duplicate dns-namespace issue. I was under the impression
that microsoft supported this type of setup.. internal dns
the name name as external dns?? Any help would be great!

Sorry for the misunderstanding.

I see what you mean about "RAS Connections" being "one" in the binding
order.

I *believe* there is a setting in the VPN to use the VPN settings when
connected? I just created a VPN and dialup setting to check it out. BUt of
course, no real dialup to test it, just a fake connection. But looking at
the properties of the dialup connection, have you tried to go into them and
under networking tab, force to use remote gateway and under DNS force using
your internal DNS server addresses? I know it sounds like a pain to do this
for the user, but curious if that may help. Force remote gateway on the VPN
too, (but I assume this is already checked off).

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory