Re: Help With DNS Through VPN
- From: "ZVR" <nospamever@xxxxxx>
- Date: Tue, 6 Dec 2005 22:15:30 -0500
"Bill" <billyg1943@xxxxxxxxxxx> wrote in message
news:eeBOWwl%23FHA.2464@xxxxxxxxxxxxxxxxxxxxxxx
> Hi Virgil.
> Almost success! I read Tom's entire article and noted the section on DNS.
> Checked the DNS server and it was configured to listen only on the
> internal interface so I added the external interface.
If you want to use packet filtering to allow access to your DNS server then
you need indeed to bind the service to the external interface. Rule of thumb
with packet filters in ISA2000 is that you use them to control traffic
between "Internet" and the external NIC on ISA, so if the DNS service is not
running on the external NIC packet filters will do you no good.
>It was also configured to enable forwarding and the DNS servers were not
>correct (ISP was recently changed). I left this enabled and entered the
>correct DNS servers. Not sure whether to leave recursion on in this
>scenario so I left this alone. What do you think about this?
I would leave recursion off - that way if there is a problem with the ISP's
name servers your DNS server will resolve the queries by itself; otherwise
it will just behave as a 'slave' to the ISP servers.
> So now nslookup finds:
Please forget about nslookup :-), that is such a poor tool. Here's a link to
a freeware utility I've been using for a while, and it's simply great. It
has ping, tracert, nslookup and many other things and it's graphical and
very easy to use. It is called INetQuery by Atrium Software and can be
downloaded from here:
http://www.atrium-software.com/download/iNetQuery.exe
Just remember to specify the address of your DNS server in the
Extras/Settings dialog, after you install it.
> C:\Documents and Settings\Bill>nslookup
> Default Server: merry.christmas
> Address: 192.168.xxx.yyy (external interface)
>
> Don't know where the hostname comes from!
merry.christmas - That is how the DNS server used by your workstation sees
itself when you run nslookup. When you run nslookup for the first time, it
will read the DNS server setting from the TCPIP config on your workstation -
so it gets the IP address of the DNS server. Then it performs a reverse
lookup for that IP, against the name server selected in nslookup (and the
first time you run nslookup that will be the same IP).
> Remote client is still unable to resolve hosts on the internal network.
> What is missing here?
What do you mean by that. When they connect to the Cisco VPN clients, are
your clients getting the correct IP address as their DNS server? They should
get the external IP of the SBS machine from what I understand from your
setup.
Moreover, what kind of DNS queries come from your clients? Suppose you want
to PING from a VPN client... do you do a < PING server01 > or a < PING
server01.yourinternaldomain.com >. You have to use the full FQDN (the second
example)... resolution by name only (not fully qualified name) works only
within the boundaries of your LAN - not with VPN clients.
Finally, what happens if you install INetQuery on a remote PC, connect that
PC via VPN, then launch some DNS queries from that PC against the external
SBS IP?
Virgil
.
- Follow-Ups:
- Re: Help With DNS Through VPN
- From: Ding Bat
- Re: Help With DNS Through VPN
- References:
- Help With DNS Through VPN
- From: Ding Bat
- Re: Help With DNS Through VPN
- From: ZVR
- Re: Help With DNS Through VPN
- From: Bill
- Re: Help With DNS Through VPN
- From: ZVR
- Re: Help With DNS Through VPN
- From: Bill
- Re: Help With DNS Through VPN
- From: ZVR
- Re: Help With DNS Through VPN
- From: Bill
- Help With DNS Through VPN
- Prev by Date: Re: vpn clients from remote site can't get through ISA
- Next by Date: Re: ISA 2004 and ActiveSync.
- Previous by thread: Re: Help With DNS Through VPN
- Next by thread: Re: Help With DNS Through VPN
- Index(es):
Relevant Pages
|
