Server 2003 VPN and DNS

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi,

Ive sucessfully been running a windows 2003 VPN for a few years now but one
issue has bugged me. Due to the way our Watchguard firewall handles NAT I
have some DNS entrys that handle our external DNS i.e typing www.acme.com
will be resolved by our internal server to 192.168.10.5 as if it were to be
handled by the external DNS our firewall would not allow connection to come
back in.

Our servers and workstation primary DNS suffix is acme.network but some
servers are also assigned an address from the acme.com

My problem is VPN clients when they try to connect to things like
mail.acme.com or sync.acme.com resolve to the external DNS address rather
than the internal.

Connecting to an internal address like mail.acme.network is fine, but it
just will not resolve names to any of the other domain suffix's that are
present on our DNS server through VPN clients

Any ideas? all VPN clients are assigned an IP address from the normal DHCP
pool
 
if using nslookup command in the VPN client, what does it point to? or post back with any error.

Name resolution on VPN 4) If the VPN client doesn't register its DNS, you may need to go the VPN connection ... To assign the DNS and WINS to a VPN client for name resolution, ...
www.chicagotech.net/nameresolutionpnvpn.htm


Troubleshooting DNS If your VPN client cannot find servers or cannot ping computernmae, you may need to add DNS and WINS into your VPN server. For example, to add DNS and WINS ...
www.chicagotech.net/dnstroubleshooting.htm



Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
Hi,

Ive sucessfully been running a windows 2003 VPN for a few years now but one
issue has bugged me. Due to the way our Watchguard firewall handles NAT I
have some DNS entrys that handle our external DNS i.e typing www.acme.com
will be resolved by our internal server to 192.168.10.5 as if it were to be
handled by the external DNS our firewall would not allow connection to come
back in.

Our servers and workstation primary DNS suffix is acme.network but some
servers are also assigned an address from the acme.com

My problem is VPN clients when they try to connect to things like
mail.acme.com or sync.acme.com resolve to the external DNS address rather
than the internal.

Connecting to an internal address like mail.acme.network is fine, but it
just will not resolve names to any of the other domain suffix's that are
present on our DNS server through VPN clients

Any ideas? all VPN clients are assigned an IP address from the normal DHCP
pool
 
I don't see how the Watchguard firewall affects VPN clients. They are
effectively "inside" the firewall. All VPN traffic is still encrypted and
encapsulated when it comes through the firewall.

I really boils down to what DNS server address the VPN client actually
uses and what DNS suffixes it uses. They should be looking at your internal
DNS server. If all else fails, manually configure these in the connection
properties of the client to exactly what you want it do use.
 
The vpn client gets a DNS server fine on the internal network and a DNS
suffix also.

The vpn client gets the suffix of acme.network, the same as our internal
clients which can see the acme.com address's fine. Its just hte vpn clients
cant.

They can only perform lookups to the same DNS suffix as themselves.

The problem with the watchguard is it will not allow a client inside the
firewall to access the external address of any servers. So say for example my
companys website is hosted on one of our own servers whos internal DNS is
webserver.acme.network. If I try to get to it via its external address the
watchguard has a fit and just gives up. So I had to create a new DNS zone for
acme.com to point www.acme.com to the servers internal IP. This is what the
VPN clients cant seem to pickup, when resolving acme.network address's it
uses the internal DNS fine but when trying to resolve acme.com it always
ignores my internal DNS server and goes straight to my ISP's. It just wont
make use of any of my other zones for some reason.
 
this is weird, just did an nslookup to the servers external name and it comes
back with the internal IP which is what I wanted. But when I ping or try to
connect on that name it goes to the external name :S
 
Back
Top