[isapros] Re: Came across this little gem...
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Wed, 30 Jan 2008 08:47:55 -0600
Jim,
There is a Registry hack that you can use to force the the DoD interface
to be the primary interface, so that the VPN DNS server is used first
for DNS queries. Stefaan Pouseele has it in his blog.
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- Microsoft Firewalls (ISA)
________________________________
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
Sent: Wednesday, January 30, 2008 7:32 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Came across this little gem...
Yes, but the DNS server in a DoD connection is s special case.
Remember; this only happens If the local network defines a
*local* DNS server. If the local network defined an off-subnet DNS
server, then the DoD DNS server would be tried frist.
BTDT; was a nasty bear to sort out.
Jim
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
Sent: Tuesday, January 29, 2008 9:50 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Came across this little gem...
In XP, the VPN client DNS is prioritized, so it's not an issue.
And in Vista, you can tell it to "use the default gateway on the remote
network" to query the DNS server specified in the VPN connection.
t
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
Sent: Tuesday, January 29, 2008 9:11 PM
To: ISA Mailing List; ISAPros Mailing List
Subject: [isapros] Re: Came across this little gem...
Yep - these are the same geniuses that choose to respond for
domains they don't hold.
Case in point:
C:\>nslookup -d anyhost.corp.microsoft.com. 208.67.222.222
------------
Got answer:
HEADER:
opcode = QUERY, id = 1, rcode = NOERROR
header flags: response, want recursion, recursion
avail.
questions = 1, answers = 1, authority records = 0,
additional = 0
QUESTIONS:
222.222.67.208.in-addr.arpa, type = PTR, class = IN
ANSWERS:
-> 222.222.67.208.in-addr.arpa
name = resolver1.opendns.com
ttl = 82245 (22 hours 50 mins 45 secs)
------------
Server: resolver1.opendns.com
Address: 208.67.222.222
------------
Got answer:
HEADER:
opcode = QUERY, id = 2, rcode = NOERROR
header flags: response, want recursion, recursion
avail.
questions = 1, answers = 1, authority records = 0,
additional = 0
QUESTIONS:
anyhost.corp.microsoft.com, type = A, class = IN
ANSWERS:
-> anyhost.corp.microsoft.com
internet address = 208.67.216.130
ttl = 0 (0 secs)
------------
Non-authoritative answer:
Name: anyhost.corp.microsoft.com
Address: 208.67.216.130
What's the problem with this you may ask (go ahead - I
triple-dog-dare ya)?
Take the case of the home (or small business) user chooses to
use their DNS in their NAT device.
In many cases, this NAT device also acts as the local network
"DNS proxy" in that the DHCP service it provides assigns its NAT IP
(say; 192.168.0.1) as the DNS server for the internal hosts.
Now let's this user has the ability to create a VPN connection
to Microsoft. When this connection is created, the VPN client has two
DNS servers to query; the local NAT DNS provided by the DHCP assignment
and the DNS server supplied via the VPN connection.
When Windows tries to resolve <host>.corp.microsoft.com, the
closest DNS server is the one defined in the non-DoD network, or
192.168.0.1.
This DNS server, being nothing more than a NAT reference to the
OpenDNS "services" replies to this request with an IUP address that is
*not* found within MS internal address space. Thus, the user can never
make a name-based connection across the VPN tunnel.
Apparently, they query the authoritative DNS services and if
they come up empty, the respond with an address anyway.
We tried working with them to stop doing this, but to no avail.
While my (real-life) example is Microsoft-specific, it would
work if the domain was ISAtools.org.
Consider using this "service" carefully; it'll bite you in the
butt when you least expect it.
Jim
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat
Sent: Tuesday, January 29, 2008 3:50 PM
To: ISA Mailing List; ISAPros Mailing List
Subject: [isalist] Came across this little gem...
Looks like this could very well compliment your ISA installs
guys...
http://www.opendns.com
Thanks
Steve
Steve Moffat
Operations Director
Optimum IT Solutions
Desk: 441 292 8849
Mobile: 441 292 8849
MSN IM: steve@xxxxxxxxxx
Web: http://optimum.bm <http://optimum.bm/>
Dedicated to proactively supporting our customers
This email may contain confidential information. If you are not
named on the addressee list, please take no action in relation to this
email, do not open any attachment, and please contact the sender
(details above) immediately. Information in this email is provided in
good faith. If you are a customer of Optimum IT Solutions please refer
to the terms and conditions which cover the provision of support and
consulting services to you/your organization. If you are not
corresponding in the course of, or in connection with a Optimum IT
Solutions contract or program with its own terms and conditions, please
note that no liability is accepted by Optimum IT Solutions for the
contents of this mail.
Other related posts:
