[isalist] Re: Came across this little gem...

  • From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
  • To: <isalist@xxxxxxxxxxxxx>
  • Date: Wed, 30 Jan 2008 06:49:07 -0800

Jim's specifically talking about Dial On Demand connections I think --  XP 
always prioritizes DNS for the VPN connection (apparently not with DoD, though 
- I can't test at the moment) but not Vista.  But, all you have to tell Vista 
is "use the default gateway on remote network" and it fixes it.

 

But again, not for DoD connections.

 

t

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Andrew Hodgson
Sent: Wednesday, January 30, 2008 5:53 AM
To: isalist
Subject: [isalist] Re: Came across this little gem...

 

Hi, 

  

There are options to switch this “feature” off in the system, either on a 
specific basis where your VPN uses an internal domain name, or altogether: 

  

http://www.opendns.com/support/article/164 

  

Having said this, I wouldn’t use them for the following reason: 

  

[andrewh@tws-lilac ~]$ dig www.google.com @resolver1.opendns.com 

  

; <<>> DiG 9.3.3rc2 <<>> www.google.com @resolver1.opendns.com 

; (1 server found) 

;; global options:  printcmd 

;; Got answer: 

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9477 

;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 

  

;; QUESTION SECTION: 

;www.google.com.                        IN      A 

  

;; ANSWER SECTION: 

www.google.com.         0       IN      CNAME   google.navigation.opendns.com. 

google.navigation.opendns.com. 30 IN    A       208.69.34.230 

google.navigation.opendns.com. 30 IN    A       208.69.34.231 

  

;; Query time: 55 msec 

;; SERVER: 208.67.222.222#53(208.67.222.222) 

;; WHEN: Wed Jan 30 13:41:03 2008 

;; MSG SIZE  rcvd: 104 

  

So OpenDNS are proxying all Google requests through their own servers. 

  

Thanks. 

Andrew. 

  

-- 

Andrew Hodgson, 

Projects Engineer/Senior Systems Administrator, 

Allpay.net Limited. 

  

________________________________

   

From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
Sent: 30 January 2008 13:30
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Came across this little gem... 

  

Nope; that’s Windows name resolution logic; it (rightly) decides that DNS 
queries should be made to the closest DNS server. 

If one is defined for the local network, it tries that first. 

For a normal DNS server, if no zone or host is found for that query, will 
return “no record” and Windows will proceed to the remaining DNS servers; to 
include the DNS server defined for the DoD connection. 

  

Jim 

  

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Greg Mulholland
Sent: Tuesday, January 29, 2008 11:54 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Came across this little gem... 

  

Wouldn’t that be a split tunnelling issue though? If im connected to my vpn, my 
dns lookups are done by my remote dns servers. 

  

Greg 

  

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
Sent: Wednesday, 30 January 2008 4:11 PM
To: ISA Mailing List; ISAPros Mailing List
Subject: [isalist] Re: Came across this little gem... 

  

Yep – these are the same geniuses that choose to respond for domains they don’t 
hold. 

Case in point: 

C:\>nslookup -d anyhost.corp.microsoft.com. 208.67.222.222 

------------ 

Got answer: 

    HEADER: 

        opcode = QUERY, id = 1, rcode = NOERROR 

        header flags:  response, want recursion, recursion avail. 

        questions = 1,  answers = 1,  authority records = 0,  additional = 0 

  

    QUESTIONS: 

        222.222.67.208.in-addr.arpa, type = PTR, class = IN 

    ANSWERS: 

    ->  222.222.67.208.in-addr.arpa 

        name = resolver1.opendns.com 

        ttl = 82245 (22 hours 50 mins 45 secs) 

  

------------ 

Server:  resolver1.opendns.com 

Address:  208.67.222.222 

  

------------ 

Got answer: 

    HEADER: 

        opcode = QUERY, id = 2, rcode = NOERROR 

        header flags:  response, want recursion, recursion avail. 

        questions = 1,  answers = 1,  authority records = 0,  additional = 0 

  

    QUESTIONS: 

        anyhost.corp.microsoft.com, type = A, class = IN 

    ANSWERS: 

    ->  anyhost.corp.microsoft.com 

        internet address = 208.67.216.130 

        ttl = 0 (0 secs) 

  

------------ 

Non-authoritative answer: 

Name:    anyhost.corp.microsoft.com 

Address:  208.67.216.130 

  

What’s the problem with this you may ask (go ahead – I triple-dog-dare ya)? 

Take the case of the home (or small business) user chooses to use their DNS in 
their NAT device. 

In many cases, this NAT device also acts as the local network “DNS proxy” in 
that the DHCP service it provides assigns its NAT IP (say; 192.168.0.1) as the 
DNS server for the internal hosts. 

Now let’s this user has the ability to create a VPN connection to Microsoft.  
When this connection is created, the VPN client has two DNS servers to query; 
the local NAT DNS provided by the DHCP assignment and the DNS server supplied 
via the VPN connection. 

When Windows tries to resolve <host>.corp.microsoft.com, the closest DNS server 
is the one defined in the non-DoD network, or 192.168.0.1. 

This DNS server, being nothing more than a NAT reference to the OpenDNS 
“services” replies to this request with an IUP address that is *not* found 
within MS internal address space.  Thus, the user can never make a name-based 
connection across the VPN tunnel. 

  

Apparently, they query the authoritative DNS services and if they come up 
empty, the respond with an address anyway. 

We tried working with them to stop doing this, but to no avail. 

  

While my (real-life) example is Microsoft-specific, it would work if the domain 
was ISAtools.org. 

Consider using this “service” carefully; it’ll bite you in the butt when you 
least expect it. 

  

Jim 

  

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Steve Moffat
Sent: Tuesday, January 29, 2008 3:50 PM
To: ISA Mailing List; ISAPros Mailing List
Subject: [isalist] Came across this little gem... 

  

Looks like this could very well compliment your ISA installs guys... 

  

http://www.opendns.com 

  

Thanks 

Steve 

Steve Moffat 
Operations Director 
Optimum IT Solutions 
Desk:   441 292 8849
Mobile: 441 292 8849
MSN IM: steve@xxxxxxxxxx
Web: http://optimum.bm <http://optimum.bm/> 
Dedicated to proactively supporting our customers 

This email may contain confidential information. If you are not named on the 
addressee list, please take no action in relation to this email, do not open 
any attachment, and please contact the sender (details above) immediately. 
Information in this email is provided in good faith. If you are a customer of 
Optimum IT Solutions please refer to the terms and conditions which cover the 
provision of support and consulting services to you/your organization. If you 
are not corresponding in the course of, or in connection with a Optimum IT 
Solutions contract or program with its own terms and conditions, please note 
that no liability is accepted by Optimum IT Solutions for the contents of this 
mail. 

  

 

-- 
allpay.net Limited, Fortis et Fides, Whitestone Business Park, Whitestone, 
Hereford, HR1 3SE. Registered in England No. 02933191. UK VAT Reg. No. 666 9148 
88.

Telephone: 0870 243 3434, Fax: 0870 243 6041. 
Website: www.allpay.net Email: enquiries@xxxxxxxxxx

This email, and any files transmitted with it, is confidential and intended 
solely for the use of the individual or entity to whom it is addressed. If you 
have received this email in error please notify the allpay.net Information 
Security Manager at the number above.

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 01-2008