Questions

DNS issues over VPN

Tags:
+
0 Votes
Locked

DNS issues over VPN

Goody3335
I have many users connecting over VPN (PPTP using Microsoft VPN) and all of a sudden only some are not able to connect to DNS. They can ping using IP addresses, but not computer names. When they use the nslookup tool it gives their ISP's DNS server, not ours. They seem to connect to the VPN just fine, though. I looked in event viewer and there are a couple of warnings that say the NTP client couldn't sync the time up with the domain controller, but the last one was this morning and users are still having the same problem. No configuration changes were made at the time when people started having this issue. We are working with routing and remote access on a 2003 server. Any help is much appreciated!
  • +
    0 Votes
    giadich

    in the vpn connection dialog box, there a button called Properties, if you click on that and explore the options a bit you'll find that you can change/add dns and/or default gateway.

    +
    0 Votes
    robo_dev

    And UDP protocol rarely works reliably over a VPN connection. UDP is connectionless, and any fragmentation means packets arrive out-of-order and are dropped.

    My guess would be that a Windows update caused the issue...but that's just a guess.

    You need to change the clients to use TCP for Kerberos authentication. See this link:

    http://support.microsoft.com/kb/244474

    +
    0 Votes
    goody3335

    There were only 3 updates applied to the domain controller (none to the RAS server). They were KB941644, KB943485, and KB942615. Anyone heard anything bad? I saw a few bad things about the first update. I don't know that it could have caused my problem, though.

    +
    0 Votes
    sfurtado

    I have the same setup as Goody3335 or so it seems. I tried that MS fix and flushed my test box's DNS. Still same issue. Any help would be grateful. Thanks

    +
    0 Votes
    CG IT

    users connecting to your network via VPN don't really connect to DNS. DNS is just a name to ip resolution service.

    My question would be why the heck are users pinging or using nslookup in the first place? Users shouldn't care about ping or nslookup rather being able to find resources on the network. If you have users pinging everywhere on the network, you can have network congestion problems.

    However, I'll assume that ping and nslookup really isn't an issue with users, including VPN users, rather that your DNS server isn't resolving names to addresses when users look for shared resource by name. If your DNS server isn't resolving a name to address, then I would look at DNS and do some query tests. DNS has a built in query and recursion test. Might check with those tools.

    +
    0 Votes

    ...

    sfurtado

    Internally the names resolve just fine. Its only a select number of users who connect through VPN that cannot resolve the internal names.

    This works fine for some users. Luckily on the test box I was able to replicate this issue. It will use the ISP's DNs to resolve while connected on VPN, even with the fix posted earlier. I've also specified our DNS servers for the VPN connection settings on the test box. Still no help. Thanks

    +
    0 Votes
    Dumphrey

    user has to manually chage priority to VPN supplied DNS server, or (more reliable) add VPN network resources to a host file on the VPN computers. Also, make sure VPN users are on another subnet from the network they are vpning into.

    +
    0 Votes
    sfurtado

    I've tried both and the same issue persists.

    When I added the name servers to the host file it was able to resolve internal names fine. Once I rebooted the test box went back to using the ISP's DNS... Thanks for your suggestions though. I'm stumped.

    +
    0 Votes
    Dumphrey

    to the hosts file you have weird permissions issues. The hosts file overrides DNS every time (hence www.myspace.com 127.0.0.1 :0). Which means any changes you made did not get saved between reboots. you may want to look into that.

    +
    0 Votes
    CG IT

    A VPN connection into your network [and I'll assume here that your running MS Active Directory Services because you have DNS running and also assume your using typical RRAS settings] shouldn't use the ISP DNS once a connection is made. If anything, to get access to network resources they should obtain a network address through DHCP relay agent or a static address pool. This then allows the VPN clients to be connected to the internal network just as regular desktops are. They would then use local network resources including using the local network internet access.

    The MS patch aside, I would look at how remote clients gain access to network resources while remotely connected.

    +
    0 Votes
    Dumphrey

    this is a pretty common problem with Cisco based VPN clients, the VPN adapter gets the DNS info from the AD network, but the machine continues to use the DNS info for the local area network adapter (ie isp DNS) instead of the DNS for the VPN adapter. I have seen this quite a number of times, its to the point I automatically suggest the hosts file trick =\

    +
    0 Votes
    CG IT

    I assumed clients are using the Windows built in VPN connection and that it's a direct connect to the RRAS server.

    The RRAS miniports get local addresses from DHCP and once a remote client is authenticated, they have access to the remote network resources including the internet. DNS resoultuion is accomplished by the network DNS server so it shouldn't happen. Even with a RADIUS solution.

    Cisco has it's own gig which goes with Cisco equipment. Same with Netgear, SonicWall, Symantec blah blah. The VPN connection is "supposed" to be to their equipment and not a Windows RRAS server. Seen problems all the time with mfgs proprietary VPN client software. Some user will try to use their Symantec, Sonicwall, even Cisco VPN software to connect to Windows RRAS and it works but not well.

    +
    0 Votes
    Dumphrey

    But my only VPN experience is with the Cisco setup we use.
    Thanks for the input.

    +
    0 Votes
    giadich

    There's a setting in the VPN connection that allows you to change the gateway. This is individual settings on the client machine's connection that's what only a few users are affected. They probably changed it to speed up 'net connection since they don't have to get to the 'net through your company's gateway.

    Have them do this:

    1. Open Network Connections
    2. Bring up the Properties windows for the VPN connection
    3. Highlight Internet Protocol (TCP/IP)
    4. Click Properties button
    5. Click Advanced button
    6. Check "Use default gateway on remote network"
    7. Click OK and close all windows

    Have them reconnect and test.

    Why can they ping IP? First off, they made the change so that when they hit the net - the data flows through their local gateway and to their ISP which is a lot faster than through the VPN tunnel, to your company's gateway, to the VPN server, out to the 'net...

    Now as for the IP, the computer already has the IP, it can use the ip to find the suitable route to transmit the data.

    For named lookup, it's going with the dns server that is provided with the local gateway which is from the ISP and of couse the ISP will not be able to resolve the name and they will not be able to ping by names. If you do a trace route you will see the data traveling to the local gateway, to ips...

    +
    0 Votes
    Dumphrey

    I am going to go test this =)

    +
    0 Votes
    sfurtado

    Btw we are using Windows built in VPN, connecting to RRAS.

    I change the adapter/binding order to go through remote access connections first (Right click "My Network Places" select "Properties". From menu bar select "Advanced" then "Advanced Settings").

    From there forced the adapter/bindings for Remote access connections to be first through editing the registry, see http://support.microsoft.com/kb/311218/en-us .

    This seems to work for now. I haven't created another test box to verify this although on our first test box it seem to fix the issue and its holds up after a reboot. It also worked for two VPN users who were having this issue as well.

    Thanks for all the help everyone!! I greatly appreciate it

  • +
    0 Votes
    giadich

    in the vpn connection dialog box, there a button called Properties, if you click on that and explore the options a bit you'll find that you can change/add dns and/or default gateway.

    +
    0 Votes
    robo_dev

    And UDP protocol rarely works reliably over a VPN connection. UDP is connectionless, and any fragmentation means packets arrive out-of-order and are dropped.

    My guess would be that a Windows update caused the issue...but that's just a guess.

    You need to change the clients to use TCP for Kerberos authentication. See this link:

    http://support.microsoft.com/kb/244474

    +
    0 Votes
    goody3335

    There were only 3 updates applied to the domain controller (none to the RAS server). They were KB941644, KB943485, and KB942615. Anyone heard anything bad? I saw a few bad things about the first update. I don't know that it could have caused my problem, though.

    +
    0 Votes
    sfurtado

    I have the same setup as Goody3335 or so it seems. I tried that MS fix and flushed my test box's DNS. Still same issue. Any help would be grateful. Thanks

    +
    0 Votes
    CG IT

    users connecting to your network via VPN don't really connect to DNS. DNS is just a name to ip resolution service.

    My question would be why the heck are users pinging or using nslookup in the first place? Users shouldn't care about ping or nslookup rather being able to find resources on the network. If you have users pinging everywhere on the network, you can have network congestion problems.

    However, I'll assume that ping and nslookup really isn't an issue with users, including VPN users, rather that your DNS server isn't resolving names to addresses when users look for shared resource by name. If your DNS server isn't resolving a name to address, then I would look at DNS and do some query tests. DNS has a built in query and recursion test. Might check with those tools.

    +
    0 Votes

    ...

    sfurtado

    Internally the names resolve just fine. Its only a select number of users who connect through VPN that cannot resolve the internal names.

    This works fine for some users. Luckily on the test box I was able to replicate this issue. It will use the ISP's DNs to resolve while connected on VPN, even with the fix posted earlier. I've also specified our DNS servers for the VPN connection settings on the test box. Still no help. Thanks

    +
    0 Votes
    Dumphrey

    user has to manually chage priority to VPN supplied DNS server, or (more reliable) add VPN network resources to a host file on the VPN computers. Also, make sure VPN users are on another subnet from the network they are vpning into.

    +
    0 Votes
    sfurtado

    I've tried both and the same issue persists.

    When I added the name servers to the host file it was able to resolve internal names fine. Once I rebooted the test box went back to using the ISP's DNS... Thanks for your suggestions though. I'm stumped.

    +
    0 Votes
    Dumphrey

    to the hosts file you have weird permissions issues. The hosts file overrides DNS every time (hence www.myspace.com 127.0.0.1 :0). Which means any changes you made did not get saved between reboots. you may want to look into that.

    +
    0 Votes
    CG IT

    A VPN connection into your network [and I'll assume here that your running MS Active Directory Services because you have DNS running and also assume your using typical RRAS settings] shouldn't use the ISP DNS once a connection is made. If anything, to get access to network resources they should obtain a network address through DHCP relay agent or a static address pool. This then allows the VPN clients to be connected to the internal network just as regular desktops are. They would then use local network resources including using the local network internet access.

    The MS patch aside, I would look at how remote clients gain access to network resources while remotely connected.

    +
    0 Votes
    Dumphrey

    this is a pretty common problem with Cisco based VPN clients, the VPN adapter gets the DNS info from the AD network, but the machine continues to use the DNS info for the local area network adapter (ie isp DNS) instead of the DNS for the VPN adapter. I have seen this quite a number of times, its to the point I automatically suggest the hosts file trick =\

    +
    0 Votes
    CG IT

    I assumed clients are using the Windows built in VPN connection and that it's a direct connect to the RRAS server.

    The RRAS miniports get local addresses from DHCP and once a remote client is authenticated, they have access to the remote network resources including the internet. DNS resoultuion is accomplished by the network DNS server so it shouldn't happen. Even with a RADIUS solution.

    Cisco has it's own gig which goes with Cisco equipment. Same with Netgear, SonicWall, Symantec blah blah. The VPN connection is "supposed" to be to their equipment and not a Windows RRAS server. Seen problems all the time with mfgs proprietary VPN client software. Some user will try to use their Symantec, Sonicwall, even Cisco VPN software to connect to Windows RRAS and it works but not well.

    +
    0 Votes
    Dumphrey

    But my only VPN experience is with the Cisco setup we use.
    Thanks for the input.

    +
    0 Votes
    giadich

    There's a setting in the VPN connection that allows you to change the gateway. This is individual settings on the client machine's connection that's what only a few users are affected. They probably changed it to speed up 'net connection since they don't have to get to the 'net through your company's gateway.

    Have them do this:

    1. Open Network Connections
    2. Bring up the Properties windows for the VPN connection
    3. Highlight Internet Protocol (TCP/IP)
    4. Click Properties button
    5. Click Advanced button
    6. Check "Use default gateway on remote network"
    7. Click OK and close all windows

    Have them reconnect and test.

    Why can they ping IP? First off, they made the change so that when they hit the net - the data flows through their local gateway and to their ISP which is a lot faster than through the VPN tunnel, to your company's gateway, to the VPN server, out to the 'net...

    Now as for the IP, the computer already has the IP, it can use the ip to find the suitable route to transmit the data.

    For named lookup, it's going with the dns server that is provided with the local gateway which is from the ISP and of couse the ISP will not be able to resolve the name and they will not be able to ping by names. If you do a trace route you will see the data traveling to the local gateway, to ips...

    +
    0 Votes
    Dumphrey

    I am going to go test this =)

    +
    0 Votes
    sfurtado

    Btw we are using Windows built in VPN, connecting to RRAS.

    I change the adapter/binding order to go through remote access connections first (Right click "My Network Places" select "Properties". From menu bar select "Advanced" then "Advanced Settings").

    From there forced the adapter/bindings for Remote access connections to be first through editing the registry, see http://support.microsoft.com/kb/311218/en-us .

    This seems to work for now. I haven't created another test box to verify this although on our first test box it seem to fix the issue and its holds up after a reboot. It also worked for two VPN users who were having this issue as well.

    Thanks for all the help everyone!! I greatly appreciate it