Try ipconfig /flushdns on the workstation. S -----Original Message----- From: Joe Pochedley [mailto:joepochedley@xxxxxxxxx] Sent: Tuesday, September 21, 2004 9:39 AM To: Isa Weblist Subject: [isalist] RE: VPN Clients and DNS http://www.ISAserver.org William, Windows will continue to use a DNS server that it had previously contacted for as long as that server is available. Only when a DNS server becomes unavailable (does not respond to a query) will Windows switch to the next one in the list and then that one will be the "first" that it attempts to contact. I have seen something 'similar' to what you have described. It happens whenever a DNS server is on the same local subnet as the client and therefore the remote default gateway doesn't enter into the situation... 99% of the time I've seen this, it's because the VPN user is using a NAT'd DSL or cable connection where the NAT router passes itself as the DNS (and then proxies out the DNS requests to the ISP's servers)... This seems to be the default behavior of Dlink, SMC, Microsoft, and Netgear routers... Linksys seems to be the only one (of the SOHO/consumer router manufacturers) that do not do this AFAIK. In those instances, the only servers that have been a problem have been the ones using the same names internally and externally, with different addresses of course. If this isn't the situation you're describing, then please elaborate more. Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Tuesday, September 21, 2004 1:03 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: VPN Clients and DNS http://www.ISAserver.org Hi William, Where are you seeing the "order" of the DNS servers? Tom www.isaserver.org/shinder Get the book! Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: William Holmes [mailto:wtholmes@xxxxxxxxxxxxxx] Sent: Monday, September 20, 2004 10:30 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: VPN Clients and DNS http://www.ISAserver.org Hi Tom, The VPN server is assigning my internal DNS server correctly. However the order of the DNS servers in unchanged. That is to say if prior to the VPN connection starting the DNS Server order is: 192.168.40.25 192.168.40.99 And the VPN connection assigns the DNS servers 192.168.88.5 Then the order of the servers is left as 192.168.40.25 192.168.40.99 192.168.88.5 The problem is that the first two DNS servers are restricted by the ISP to its own networks. When the default route switches to the ISA server you can not contact the ISP's DNS servers. What I think should happen is that the order should be set to: 192.168.88.5 192.168.40.25 192.168.40.99 Does this make sense? Thanks Bill -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Monday, September 20, 2004 8:29 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: VPN Clients and DNS http://www.ISAserver.org Hi William, The way is supposed to work is the VPN server assigns the VPN clients a DNS server address, and that DNS server is on your internal network. In that case, the DNS server is able to resolve both internal and external names. HTH< Tom -----Original Message----- From: William Holmes [mailto:wtholmes@xxxxxxxxxxxxxx] Sent: Monday, September 20, 2004 3:13 PM To: [ISAserver.org Discussion List] Subject: [isalist] VPN Clients and DNS http://www.ISAserver.org Hello, I have a problem with DNS and VPN connections. When a computer connected to an ISP makes a VPN connection in which it is specified to use the default gateway on the VPN server DNS queries fail. This is happening because the ISP is blocking DNS requests from hosts outside its network. The question is how can one have the DNS configuration change during the period of time while the VPN is up. I obviously have DNS servers on my protected net that I want a VPN client to use. I know this can be scripted but the question is why is that necessary. I would think the default behavior would be to use the DNS server on the remote network. Is there something that I have misconfigured? Thanks Bill William Holmes (MCP) Department of Computer Science 310 Upson Hall Cornell University Ithaca, NY 14853 wtholmes@xxxxxxxxxxxxxx 607 255-1757 (o) 607 227-6049 (c) ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: wtholmes@xxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: JoePochedley@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: steve@xxxxxxxxxxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx This E-Mail is confidential. It is not intended to be read, copied, disclosed or used by any person other than the recipient named above. Unauthorised use, disclosure, or copying is strictly prohibited and may be unlawful. Optimum IT Solutions disclaims any liability for any action taken in connection of this E-Mail. The comments or statements expressed in this E-Mail are not necessarily those of Optimum IT Solutions or its subsidiaries or affiliates. administrator@xxxxxxxxxxxxxxxxxxxxxxxxxx