Strange DNS

Per W. · Oct 4, 2005

Hi, i have a computer connected to a domain (Windows 2000 SBS) with a Cisco
VPN client for use to a external office, when not connected to the VPN
client i get this:

nslookup int-www.ext-office.org = NO answer
nslookup int-www.ext-office.org 194.19.1.52 = NO answer, 194.19.1.52 is a
ISPs DNS
nslookup int-www.ext-office.org 217.118.32.12 = NO answer, 217.118.32.12 is
another ISPs DNS and the same DNS that the Windows DNS server forward to.

With the VPN client connected i get this:

nslookup int-www.ext-office.org = NO answer
nslookup int-www.ext-office.org 194.19.1.52 = the correct IP is shown (and
its not an local IP)
nslookup int-www.ext-office.org 217.118.32.12 = the correct IP is shown (and
its not an local IP)

How i the h.... can the external ISPs DNS server make a lookup to a domain
when using the VPN client ant why isnt there any answer when i dont use the
VPN client? And why dont the local/internal DNS server give an answer? Yes,
i can reach the internal DNS server also when connected to the VPN client.

/Per W.

Deji Akomolafe · Oct 5, 2005

Let's see....

No-VPN scenario:
You are trying to lookup a resource located in your office. That resource is
NOT public. So, the ISP DNS server is not able to locate the record.

With-VPN scenario:
Now you are connected to your office. Your requests for resources inside
your office are now tunnelled through the VPN connection. This way, the
requests get to your office because it doesn't go through the public
internet. The resource is located and the record is returned to you via the
tunnel.

Makes sense, or did I misunderstand you?
--

Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon

Per W. · Oct 5, 2005

Deji Akomolafe said:
Let's see....

No-VPN scenario:
You are trying to lookup a resource located in your office. That resource
is
NOT public. So, the ISP DNS server is not able to locate the record.

With-VPN scenario:
Now you are connected to your office. Your requests for resources inside
your office are now tunnelled through the VPN connection. This way, the
requests get to your office because it doesn't go through the public
internet. The resource is located and the record is returned to you via
the
tunnel.

Makes sense, or did I misunderstand you?

Okey, let me try to explain it a litle more, when using NSLOOKUP
int-www.ext-office.org with or without VPN the result is NOTHING. BUT, when
using NSLOOKUP int-www.ext-office.org 194.19.1.52, thats using nslookup to a
external dns server, in this case a dns server with a different ISP in
norway, this is a dns server that everyone can reach, with or without VPN,
even you can use that dns server, if i do NSLOOKUP int-www.ext-office.org
194.19.1.52 without VPN then the result is nothing, BUT, when i connect to
the VPN and use the same lookup to the same external dns that has nothing to
do with the VPN connection i get the correct answer, and i get the correct
answer with any dns in the hole world when connected to the VPN, but as soon
as i disconnect from the VPN i cant get any dns to answer, and i cant in any
case with or without VPN make the internal dns-server answer, even if the
internal dns server has a forwarder to a dns that gives an answer when
connected with VPN.

/Per W.

Ace Fekay [MVP] · Oct 6, 2005

In

Per W. said:
Okey, let me try to explain it a litle more, when using NSLOOKUP
int-www.ext-office.org with or without VPN the result is NOTHING.

BUT, when using NSLOOKUP int-www.ext-office.org 194.19.1.52, thats
using nslookup to a external dns server, in this case a dns server
with a different ISP in norway, this is a dns server that everyone
can reach, with or without VPN, even you can use that dns server,

if
i do NSLOOKUP int-www.ext-office.org 194.19.1.52 without VPN then the
result is nothing,

BUT, when i connect to the VPN and use the same
lookup to the same external dns that has nothing to do with the VPN
connection i get the correct answer, and i get the correct answer
with any dns in the hole world when connected to the VPN,

but as soon
as i disconnect from the VPN i cant get any dns to answer,

and i cant
in any case with or without VPN make the internal dns-server answer,
even if the internal dns server has a forwarder to a dns that gives
an answer when connected with VPN.
/Per W.

I can't get that either. Look:

C:\>NSLOOKUP int-www.ext-office.org 194.19.1.52
Server: dns202.telia.com
Address: 194.19.1.52

*** dns202.telia.com can't find int-www.ext-office.org: Non-existent domain

But it did resolve for microsoft.com, and other domains.

Maybe that server is a BIND server and it has 'views' set to only answer for
the int-www.ext-office.org namespace only from your corp subnet(s)?

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

If this post is viewed at a non-Microsoft community website, and you were to
respond to it through that community's website, I may not see your reply
unless that website posts replies back to the original Microsoft forum.
Therefore, please direct all replies ONLY to the Microsoft public newsgroup
this thread originated in so all can benefit or ensure the web community
posts it back to the original forum.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Microsot Certified Trainer
Infinite Diversities in Infinite Combinations.
=================================

Per W. · Oct 6, 2005

"Ace Fekay [MVP]"

In

I can't get that either. Look:

C:\>NSLOOKUP int-www.ext-office.org 194.19.1.52
Server: dns202.telia.com
Address: 194.19.1.52

*** dns202.telia.com can't find int-www.ext-office.org: Non-existent
domain

Yes thats rigth, you get the same strange error that i get, BUT as soon as i
connect to the head office with VPN the dns202.telia.com find the correct IP
for that adress, and the dns202.telia.com has NOTHING to do with the company
i connect to with VPN, all dns-servers around the world will answer correct
as soon as i am connected with VPN, i cant see why its should bee like this,
and why couldnt the internal DNS server solve this adress when conencted
with the VPN as all other dns servers can.

/Per W.

Ace Fekay [MVP] · Oct 7, 2005

In

Per W. said:
Yes thats rigth, you get the same strange error that i get, BUT as
soon as i connect to the head office with VPN the dns202.telia.com
find the correct IP for that adress, and the dns202.telia.com has
NOTHING to do with the company i connect to with VPN, all dns-servers
around the world will answer correct as soon as i am connected with
VPN, i cant see why its should bee like this, and why couldnt the
internal DNS server solve this adress when conencted with the VPN as
all other dns servers can.
/Per W.

I don't know other than as I mentioned, a possible 'view' issue. Some ISP's
do that, assuming it is a DNS server for your ISP.

Ace

Per W. · Oct 7, 2005

"Ace Fekay [MVP]"

In

I don't know other than as I mentioned, a possible 'view' issue. Some
ISP's do that, assuming it is a DNS server for your ISP.

If i used your DNS server the answer would have been correct when connected
to the VPN, but your DNS server wouldnt have any ansvwer for that IP if i
wasnt using VPN, see?

/Per W.

Ace Fekay [MVP] · Oct 8, 2005

In

Per W. said:
If i used your DNS server the answer would have been correct when
connected to the VPN, but your DNS server wouldnt have any ansvwer
for that IP if i wasnt using VPN, see?

/Per W.

Per, I totally understand what you are saying. As I've already said, I am
NOT sure why, but I provided a _*possible*_ cause of the problem.

It could also mean they *may* be blocking traffic from everywhere else for
some reason.

Maybe someone else may have a better suggestion for you.

Just as an FYI, here's info on what a BIND view is:

Views in BIND 9 by Cricket Liu
http://sysadmin.oreilly.com/news/views_0501.html

Ace

Kevin D. Goodknecht Sr. [MVP] · Oct 8, 2005

Per W. said:
If i used your DNS server the answer would have been correct when
connected to the VPN, but your DNS server wouldnt have any ansvwer
for that IP if i wasnt using VPN, see?

Use the -d2 option to see what nslookup is doing.

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================