[isalist] Re: Came across this little gem...
- From: Jim Harrison <Jim@xxxxxxxxxxxx>
- To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 30 Jan 2008 05:29:47 -0800
Nope; that's Windows name resolution logic; it (rightly) decides that DNS
queries should be made to the closest DNS server.
If one is defined for the local network, it tries that first.
For a normal DNS server, if no zone or host is found for that query, will
return "no record" and Windows will proceed to the remaining DNS servers; to
include the DNS server defined for the DoD connection.
Jim
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Greg Mulholland
Sent: Tuesday, January 29, 2008 11:54 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Came across this little gem...
Wouldn't that be a split tunnelling issue though? If im connected to my vpn, my
dns lookups are done by my remote dns servers.
Greg
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Wednesday, 30 January 2008 4:11 PM
To: ISA Mailing List; ISAPros Mailing List
Subject: [isalist] Re: Came across this little gem...
Yep - these are the same geniuses that choose to respond for domains they don't
hold.
Case in point:
C:\>nslookup -d anyhost.corp.microsoft.com. 208.67.222.222
------------
Got answer:
HEADER:
opcode = QUERY, id = 1, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0
QUESTIONS:
222.222.67.208.in-addr.arpa, type = PTR, class = IN
ANSWERS:
-> 222.222.67.208.in-addr.arpa
name = resolver1.opendns.com
ttl = 82245 (22 hours 50 mins 45 secs)
------------
Server: resolver1.opendns.com
Address: 208.67.222.222
------------
Got answer:
HEADER:
opcode = QUERY, id = 2, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0
QUESTIONS:
anyhost.corp.microsoft.com, type = A, class = IN
ANSWERS:
-> anyhost.corp.microsoft.com
internet address = 208.67.216.130
ttl = 0 (0 secs)
------------
Non-authoritative answer:
Name: anyhost.corp.microsoft.com
Address: 208.67.216.130
What's the problem with this you may ask (go ahead - I triple-dog-dare ya)?
Take the case of the home (or small business) user chooses to use their DNS in
their NAT device.
In many cases, this NAT device also acts as the local network "DNS proxy" in
that the DHCP service it provides assigns its NAT IP (say; 192.168.0.1) as the
DNS server for the internal hosts.
Now let's this user has the ability to create a VPN connection to Microsoft.
When this connection is created, the VPN client has two DNS servers to query;
the local NAT DNS provided by the DHCP assignment and the DNS server supplied
via the VPN connection.
When Windows tries to resolve <host>.corp.microsoft.com, the closest DNS server
is the one defined in the non-DoD network, or 192.168.0.1.
This DNS server, being nothing more than a NAT reference to the OpenDNS
"services" replies to this request with an IUP address that is *not* found
within MS internal address space. Thus, the user can never make a name-based
connection across the VPN tunnel.
Apparently, they query the authoritative DNS services and if they come up
empty, the respond with an address anyway.
We tried working with them to stop doing this, but to no avail.
While my (real-life) example is Microsoft-specific, it would work if the domain
was ISAtools.org.
Consider using this "service" carefully; it'll bite you in the butt when you
least expect it.
Jim
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Steve Moffat
Sent: Tuesday, January 29, 2008 3:50 PM
To: ISA Mailing List; ISAPros Mailing List
Subject: [isalist] Came across this little gem...
Looks like this could very well compliment your ISA installs guys...
http://www.opendns.com
Thanks
Steve
Steve Moffat
Operations Director
Optimum IT Solutions
Desk: 441 292 8849
Mobile: 441 292 8849
MSN IM: steve@xxxxxxxxxx<mailto:steve@xxxxxxxxxx>
Web: http://optimum.bm<http://optimum.bm/>
Dedicated to proactively supporting our customers
This email may contain confidential information. If you are not named on the
addressee list, please take no action in relation to this email, do not open
any attachment, and please contact the sender (details above) immediately.
Information in this email is provided in good faith. If you are a customer of
Optimum IT Solutions please refer to the terms and conditions which cover the
provision of support and consulting services to you/your organization. If you
are not corresponding in the course of, or in connection with a Optimum IT
Solutions contract or program with its own terms and conditions, please note
that no liability is accepted by Optimum IT Solutions for the contents of this
mail.
Other related posts:
