resolving DNS problems over a VPN

  • Thread starter Thread starter Jim Helfer
  • Start date Start date
J

Jim Helfer

I have a VPN set up from a Watchguard firewall& saefnet client, used
to connect Outlook 203 to our Exchange 203 server.

In the office LAN I have two DCs which are both AD-Integrated DNS servers

wtwmail2.wtwarch.com 192.168.1.7
wtwaccounting.wtwarch.com 192.168.1.6


wtwmail2 runs Exchange2003. At home, I am finding that when I have my
DNS server set to 192.1687.1.7, sometimes I will not be able to pint by
name. That is, it will not resolve domain names properly.

For instance, I find that I cannot resolve wtwmail2.wtwarch.com to
192.168.1.7 with a ping command.
I get an immediate responce "ping request could not find the host
wtwmail2.wtwarch.com. Please check the name and try again."

And this is when I am pointed at wtwmail2 for my DNS resolving. The
server won't return it's own IP!

Strangely enough, if I just leave it go for a while, it will come
back and make the Outlook-Exchange connection that depends on DNS
operating correctly.

I'm a bit mystified. The A records are all in the zone, some other
hosts are not resolved either. We use these Dns servers for the entire
internal network, and we haven't noticed the issue here. Only over the
vpn tunnel. Last night it happened at the same time to all of us who
were connected via VPN at the same time so I don't think it's a
configuration issue with my machine alone.

Any ideas on how I could narrow this down, or any ideas on what could
go wrong with DNS over a VPN tunnel that would cause this problem?

Jim Helfer
WTW Architecs
Pittsburh PA
 
In
Jim Helfer said:
I have a VPN set up from a Watchguard firewall& saefnet
client, used
to connect Outlook 203 to our Exchange 203 server.

In the office LAN I have two DCs which are both
AD-Integrated DNS servers

wtwmail2.wtwarch.com 192.168.1.7
wtwaccounting.wtwarch.com 192.168.1.6


wtwmail2 runs Exchange2003. At home, I am finding that
when I have my DNS server set to 192.1687.1.7, sometimes
I will not be able to pint by name. That is, it will not
resolve domain names properly.

For instance, I find that I cannot resolve
wtwmail2.wtwarch.com to 192.168.1.7 with a ping command.
I get an immediate responce "ping request could not
find the host wtwmail2.wtwarch.com. Please check the
name and try again."

And this is when I am pointed at wtwmail2 for my DNS
resolving. The server won't return it's own IP!

Strangely enough, if I just leave it go for a while,
it will come
back and make the Outlook-Exchange connection that
depends on DNS operating correctly.

I'm a bit mystified. The A records are all in the
zone, some other hosts are not resolved either. We use
these Dns servers for the entire internal network, and we
haven't noticed the issue here. Only over the vpn
tunnel. Last night it happened at the same time to all of
us who
were connected via VPN at the same time so I don't think
it's a configuration issue with my machine alone.

Any ideas on how I could narrow this down, or any ideas
on what could
go wrong with DNS over a VPN tunnel that would cause this
problem?
Click to expand...

VPN clients have an added problem when connecting to an Active Directory
domain, because they have a view of both public and Active Directory
namespaces. This is one reason why you should choose a different name for
your Active Directory domain from your public domain name.
Your VPN clients won't know which DNS server they are getting resolution
from, you will need modify your hosts file for these names.
 
Kevin said:
In


VPN clients have an added problem when connecting to an Active Directory
domain, because they have a view of both public and Active Directory
namespaces. This is one reason why you should choose a different name for
your Active Directory domain from your public domain name.
Your VPN clients won't know which DNS server they are getting resolution
from, you will need modify your hosts file for these names.
Click to expand...

Thanks Kevin,

Right now, our DNS namespaces are _mostly_ separate, and the services
are separated (incoming SMTP uses the 'internal'name, but no one should
be usig SMTP/25 internally on our network). So, I don't think there are
too many cases of possible confusion.


I do think that I am going to start adding entries to the hosts flie.
That will help out.

Jim Helfer
WTW Architects
Pittsburgh PA
 
Back
Top