RE: OT: VPN and DNS
- From: "Greg Mulholland" <gmulholland@xxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 16 Apr 2004 21:03:20 +1000
Ok dare I say it, sorry Tom, Steve made me
"Split DNS"
Greg Mulholland
http://www.isaserver.org
http://www.isaserver.mine.nu
http://groups.google.com
-----Original Message-----
From: Steve Moffat [mailto:steve@xxxxxxxxxxxxxxxxxxxxxxxxxx]
Sent: Friday, April 16, 2004 8:51 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: OT: VPN and DNS
http://www.ISAserver.org
The way I see it is server.corp.com has external dns servers on the
internal network. A vpn client should be querying the internal servers
and shouldn't be resolving from the external servers.
S
-----Original Message-----
From: Greg Mulholland [mailto:gmulholland@xxxxxxxxxxxxxxx]
Sent: Friday, April 16, 2004 7:38 AM
To: Isa Weblist
Subject: [isalist] RE: OT: VPN and DNS
http://www.ISAserver.org
Joe, im confused a little. Are you saying that the problem is that you
cant resolve internal records on you public/external dns ie.
Server.corp.com or that your vpn clients are contacting 192.168.1.1
which is a dns server and not 10.1.1.2. In this case don't they have
similar zones and it shouldn't really matter which one resolves dns
queries, just depends on your routes
Greg Mulholland
http://www.isaserver.org
http://www.isaserver.mine.nu
http://groups.google.com
-----Original Message-----
From: Joe Pochedley [mailto:joepochedley@xxxxxxxxx]
Sent: Friday, April 16, 2004 1:30 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: OT: VPN and DNS
http://www.ISAserver.org
Yes, I have definitely experienced issues where the local client's
address space is the same as the remote network's (VPN's) address
space... For instance, if the local address is 10.1.1.x/24 this
definitely conflicts with the VPN network which is running
10.1.x.x/16... It really makes the VPN connection just fall apart...
That's just a situation that's pretty much irresolvable AFAIK...
Definitely a sticky wicket for VPN's... (Any suggestions on how to
resolve that issue would make for interesting reading!)
The issue I'm concerned with is similar, but different...
Take a client with an address of 192.168.1.x/24... SOHO router serving
IP options via DHCP... Sets the client with itself as default gateway
and DNS as 192.168.1.1...
Now the client connects to a VPN... VPN IP 10.1.1.x/24... VPN DNS
10.1.1.2...
Internal network using corp.com as Active Directory address space...
corp.com also being used for external addressing (www.corp.com ,
mail.corp.com , etc)
VPN client, with active VPN connection tries to do a DNS lookup for
server.corp.com... The "local" DNS server (192.168.1.1) is still
available and can respond, and since Windows has established this as an
active DNS server, sends the query for server.corp.com... Of course the
external DNS servers for corp.com don't have the internal address for
server.corp.com and therefore the DNS lookup fails (or responds with the
external address, which doesn't do any good for directing traffic
through the VPN connection)... Since the 192.168.1.1 DNS 'server'
responds, the client never tries to hit the 10.1.1.2 DNS server to
properly resolve the server.corp.com
I don't know if there really is a clean solution, but there's always
hope...
Joe Pochedley
Weiler's Law - Nothing is impossible for the man who doesn't have to do
it himself.
-----Original Message-----
From: cismic [mailto:cismic@xxxxxxx]
Sent: Thursday, April 15, 2004 2:11 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: OT: VPN and DNS
http://www.ISAserver.org
Hi Joe,
I've seen this before. The cause was the local client had lets say
10.0.0.1 type of subnet and the client that you VPN to had similar
subnet 10.0.1.1. This caused a strange conflict but, I was able to move
files from my subnet to there subnet.
I was using the CISCO. VPN client.
Not sure if this is what you meant but, I thought it was similar.
Thank you,
Joseph
----- Original Message -----
From: "Joe Pochedley" <joepochedley@xxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Thursday, April 15, 2004 8:13 AM
Subject: [isalist] RE: OT: VPN and DNS
http://www.ISAserver.org
Ladies and gentlemen... Just wanted to clarify one item that was
suggested off list... My VPN clients are _not_ using split tunneling,
yet items on the client's local subnet (including the DNS server) are
still available...
Still looking for suggestions....
TIA!
Joe Pochedley
Weiler's Law - Nothing is impossible for the man who doesn't have to do
it himself.
-----Original Message-----
From: Joe Pochedley
Sent: Wednesday, April 14, 2004 9:42 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] OT: VPN and DNS
http://www.ISAserver.org
Sorry for the OT post, but since Dr. Shinder and others on this list
have spent so much time in this area, I'm hoping someone here can offer
some suggestions...
In short: As more and more users want to work from home in hotels with
high speed connections, etc; we're having issues with more and more SOHO
routers or hotel configs and are looking for solutions / work-arounds...
We're using the same DNS space internally and externally (split DNS).
Users VPN in using MS's VPN (PPTP at the moment). This works great over
dial-up and with some high speed lines...
However, some SOHO routers (SMC, Dlink, Microsoft and some hotel's
wireless systems have all been culprits thus far) submit themselves to
the clients as the local DNS server and in effect perform a DNS
forwarding (maybe some local caching too, I don't know). The problem
this appears to cause is that the local client can still reach the
"local" DNS server because it's on the same subnet... When this happens
the client doesn't use the VPN supplied DNS servers and therefore DNS
lookups either fail or return the wrong addresses.
My assumption always used to be that all traffic from the client would
be forwarded through the VPN when the VPN is active, but this appears to
not be the case. Local traffic still will go out to other local clients
and therefore since the DNS server appears local, the client machine
will try to hit the local DNS server (and will be successful albeit with
results we don't want)...
FWIW, Windows 2000 Domain, MS RRAS and ISA running on Windows Svr 2003.
Windows 2000 and XP Pro clients
The only solutions I've come up with thus far are:
1) HOSTS files... Yuck.
2) I could write a script that would modify the client's DNS settings,
effectively removing the "local" DNS server during the VPN session, but
that's a PITA all the way around...
I'd happily entertain any other suggestions! TIA!
Joe Pochedley
Weiler's Law - Nothing is impossible for the man who doesn't have to do
it himself.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
JoePochedley@xxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
cismic@xxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
JoePochedley@xxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gmulholland@xxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
steve@xxxxxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
This E-Mail is confidential. It is not intended to be read, copied,
disclosed or used by any person other than the recipient named above.
Unauthorised use, disclosure, or copying is strictly prohibited and may
be unlawful. Optimum IT Solutions disclaims any liability for any action
taken in connection of this E-Mail. The comments or statements expressed
in this E-Mail are not necessarily those of Optimum IT Solutions or its
subsidiaries or affiliates.
administrator@xxxxxxxxxxxxxxxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gmulholland@xxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
Other related posts:
