VPN DNS issue

  • Thread starter Thread starter Andy Yew
  • Start date Start date
A

Andy Yew

I have an issue with the DNS settings not properly propagating down to
the client when VPN is enabled. This was originally posted in VPN
newsgroups but I have since found more info and think it is likely to
be a DNS issue.. Any help would be appreciated..

I have a distributed workforce that is accessing the servers here in
the head office and the way through is via 2 ways of getting access to
the mail server.

POP3 or full MAPI mode, the former can be used even without VPN
connectivity. The issue is that we're rolling out other services as
well and that requires some sort of VPN connection. Even for users
using POP3 connections only.

I have set up the DNS to allow for dynamic updates and the DNS servers
that are propagating through will be pointing to that of our local
DNS.

With VPN on, and using the default gateway on the VPN, all the
connectivity will be shunted through the MS VPN server before heading
out to the internet. By right, with VPN enabled and a CNAME created
for the external mail, it ought to be using the internal IP to get
their mails but somehow, it doesnt work.

The traceroute returns this... which is wrong since it went and use
the external IP instead of the internal one..

tracert mail

Tracing route to mail.xxx.com [202.135.115.35]
over a maximum of 30 hops:

1 401 ms 400 ms 401 ms VPN1 [192.168.100.200]
2 391 ms 400 ms 411 ms 192.168.100.250
3 390 ms 401 ms 400 ms 202.135.115.35

Trace complete.

This is what shoudl happen..
tracert mail

Tracing route to mailserver1.xxx.com [192.168.100.11]
over a maximum of 30 hops:

1 400 ms 391 ms 400 ms VPN1 [192.168.100.200]
2 401 ms 391 ms 410 ms mailserver1.xxx.com [192.168.100.11]

Trace complete.

I have put in DNS suffixes, so that it autoappends when VPN is on. The
only way we could get this to work was to forcefully put in the local
DNS server on the Local LAN connection instead of the VPN Connection
properties.. and this slows down everything tremendously and is a pain
to manage.

Any ideas?

Andy
 
In
Andy Yew said:
I have an issue with the DNS settings not properly propagating down to
the client when VPN is enabled. This was originally posted in VPN
newsgroups but I have since found more info and think it is likely to
be a DNS issue.. Any help would be appreciated..

I have a distributed workforce that is accessing the servers here in
the head office and the way through is via 2 ways of getting access to
the mail server.

POP3 or full MAPI mode, the former can be used even without VPN
connectivity. The issue is that we're rolling out other services as
well and that requires some sort of VPN connection. Even for users
using POP3 connections only.

I have set up the DNS to allow for dynamic updates and the DNS servers
that are propagating through will be pointing to that of our local
DNS.

With VPN on, and using the default gateway on the VPN, all the
connectivity will be shunted through the MS VPN server before heading
out to the internet. By right, with VPN enabled and a CNAME created
for the external mail, it ought to be using the internal IP to get
their mails but somehow, it doesnt work.

The traceroute returns this... which is wrong since it went and use
the external IP instead of the internal one..

tracert mail

Tracing route to mail.xxx.com [202.135.115.35]
over a maximum of 30 hops:

1 401 ms 400 ms 401 ms VPN1 [192.168.100.200]
2 391 ms 400 ms 411 ms 192.168.100.250
3 390 ms 401 ms 400 ms 202.135.115.35

Trace complete.

This is what shoudl happen..
tracert mail

Tracing route to mailserver1.xxx.com [192.168.100.11]
over a maximum of 30 hops:

1 400 ms 391 ms 400 ms VPN1 [192.168.100.200]
2 401 ms 391 ms 410 ms mailserver1.xxx.com [192.168.100.11]

Trace complete.

I have put in DNS suffixes, so that it autoappends when VPN is on. The
only way we could get this to work was to forcefully put in the local
DNS server on the Local LAN connection instead of the VPN Connection
properties.. and this slows down everything tremendously and is a pain
to manage.

Any ideas?

Andy
Click to expand...

VPNs seem to give many folks problems such as this, especially when AD is
involved. One proven suggestion is to use a HOSTS file on the client side
with that internal information. Give it a try.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Thanks for the reply..

I know about the hosts file bit, but rather not have to use it because
once started, it tends to get a bit difficult to control. And in
addition, we do want the users (currently at least), the ability to
access their emails without having to go through the overhead of a
VPN.

Any other ideas would be most helpful.

Andy

In
Andy Yew said:
I have an issue with the DNS settings not properly propagating down to
the client when VPN is enabled. This was originally posted in VPN
newsgroups but I have since found more info and think it is likely to
be a DNS issue.. Any help would be appreciated..

I have a distributed workforce that is accessing the servers here in
the head office and the way through is via 2 ways of getting access to
the mail server.

POP3 or full MAPI mode, the former can be used even without VPN
connectivity. The issue is that we're rolling out other services as
well and that requires some sort of VPN connection. Even for users
using POP3 connections only.

I have set up the DNS to allow for dynamic updates and the DNS servers
that are propagating through will be pointing to that of our local
DNS.

With VPN on, and using the default gateway on the VPN, all the
connectivity will be shunted through the MS VPN server before heading
out to the internet. By right, with VPN enabled and a CNAME created
for the external mail, it ought to be using the internal IP to get
their mails but somehow, it doesnt work.

The traceroute returns this... which is wrong since it went and use
the external IP instead of the internal one..

tracert mail

Tracing route to mail.xxx.com [202.135.115.35]
over a maximum of 30 hops:

1 401 ms 400 ms 401 ms VPN1 [192.168.100.200]
2 391 ms 400 ms 411 ms 192.168.100.250
3 390 ms 401 ms 400 ms 202.135.115.35

Trace complete.

This is what shoudl happen..
tracert mail

Tracing route to mailserver1.xxx.com [192.168.100.11]
over a maximum of 30 hops:

1 400 ms 391 ms 400 ms VPN1 [192.168.100.200]
2 401 ms 391 ms 410 ms mailserver1.xxx.com [192.168.100.11]

Trace complete.

I have put in DNS suffixes, so that it autoappends when VPN is on. The
only way we could get this to work was to forcefully put in the local
DNS server on the Local LAN connection instead of the VPN Connection
properties.. and this slows down everything tremendously and is a pain
to manage.

Any ideas?

Andy
Click to expand...

VPNs seem to give many folks problems such as this, especially when AD is
involved. One proven suggestion is to use a HOSTS file on the client side
with that internal information. Give it a try.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
Click to expand...
 
In
Andy Yew said:
Thanks for the reply..

I know about the hosts file bit, but rather not have to use it because
once started, it tends to get a bit difficult to control. And in
addition, we do want the users (currently at least), the ability to
access their emails without having to go through the overhead of a
VPN.

Any other ideas would be most helpful.

Andy
Click to expand...

Sorry, I don't. OWA is probably another solution, but not sure that's what
you want to hear.

This is one issue with AD and VPNs that is difficult to manage.







--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Thanks. One last go. We ahve set aside just a simple member server
doing nothing but VPN services. Hopefully that might help clear the
light. Found a few KB's detailing possible issues for DC's running DNS
and VPN..

Andy
 
In
Andy Yew said:
Thanks. One last go. We ahve set aside just a simple member server
doing nothing but VPN services. Hopefully that might help clear the
light. Found a few KB's detailing possible issues for DC's running DNS
and VPN..

Andy
Click to expand...

That's a good thing. I would normally recommend using a member server and
not a DC due to the issues you described. But keep in mind, the HOSTS files
*may* still be a needed thing, you'l;l just have to test it out.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Back
Top