Re: Help With DNS Through VPN


"ZVR" <nospamever@xxxxxx> wrote in message
news:eYOdnTIW6aXXyQveRVn-qg@xxxxxxxxxxxxx
> "Bill" <billyg1943@xxxxxxxxxxx> wrote in message
> news:eeBOWwl%23FHA.2464@xxxxxxxxxxxxxxxxxxxxxxx
>> Hi Virgil.
>> Almost success! I read Tom's entire article and noted the section on
>> DNS. Checked the DNS server and it was configured to listen only on the
>> internal interface so I added the external interface.
>
> If you want to use packet filtering to allow access to your DNS server
> then you need indeed to bind the service to the external interface. Rule
> of thumb with packet filters in ISA2000 is that you use them to control
> traffic between "Internet" and the external NIC on ISA, so if the DNS
> service is not running on the external NIC packet filters will do you no
> good.
>
>>It was also configured to enable forwarding and the DNS servers were not
>>correct (ISP was recently changed). I left this enabled and entered the
>>correct DNS servers. Not sure whether to leave recursion on in this
>>scenario so I left this alone. What do you think about this?
>
> I would leave recursion off - that way if there is a problem with the
> ISP's name servers your DNS server will resolve the queries by itself;
> otherwise it will just behave as a 'slave' to the ISP servers.
>
>> So now nslookup finds:
>
> Please forget about nslookup :-), that is such a poor tool. Here's a link
> to a freeware utility I've been using for a while, and it's simply great.
> It has ping, tracert, nslookup and many other things and it's graphical
> and very easy to use. It is called INetQuery by Atrium Software and can be
> downloaded from here:
> http://www.atrium-software.com/download/iNetQuery.exe
>
Where has THIS tool been all my life? Thanks for the tip!
>
Just remember to specify the address of your DNS server in the
> Extras/Settings dialog, after you install it.
>
>> C:\Documents and Settings\Bill>nslookup
>> Default Server: merry.christmas
>> Address: 192.168.xxx.yyy (external interface)
>>
>> Don't know where the hostname comes from!
>
> merry.christmas - That is how the DNS server used by your workstation sees
> itself when you run nslookup. When you run nslookup for the first time, it
> will read the DNS server setting from the TCPIP config on your
> workstation - so it gets the IP address of the DNS server. Then it
> performs a reverse lookup for that IP, against the name server selected in
> nslookup (and the first time you run nslookup that will be the same IP).
>
What I meant was "merry.christmas" is NOT the name of the DNS/SBS server.
>
>> Remote client is still unable to resolve hosts on the internal network.
>> What is missing here?
>
> What do you mean by that. When they connect to the Cisco VPN clients, are
> your clients getting the correct IP address as their DNS server? They
> should get the external IP of the SBS machine from what I understand from
> your setup.
>
VPN Client gets the external IP address of the SBS/DNS as its DNS server OK.
>
> Moreover, what kind of DNS queries come from your clients? Suppose you
> want to PING from a VPN client... do you do a < PING server01 > or a <
> PING server01.yourinternaldomain.com >. You have to use the full FQDN (the
> second example)... resolution by name only (not fully qualified name)
> works only within the boundaries of your LAN - not with VPN clients.
>
I mean that if I try to, say, make a Desktop Shortcut on the remote PC to
\\internal_servername\share_name it fails because I can't resolve any hosts
on that network. Worse, I can't ping anything on that network either. Is
this because of NAT between the external and internal interfaces?
>
> Finally, what happens if you install INetQuery on a remote PC, connect
> that PC via VPN, then launch some DNS queries from that PC against the
> external SBS IP?
>
If I try to ping <FQDN> of the DNS/SBS server I get 8 "Host timed out": the
first one blank and the other seven with DNS server IP and host name.
>
> Virgil
>
>


.

Relevant Pages

  • Re: Some DNS server names will not resolve using internal servers
    ... I have done all the nslookup commands. ... All of our external ISP DNS ... Is there a trace i could do on the DNS server to tell me what is happening? ...
    (microsoft.public.windows.server.dns)
  • Re: Outlook 2003 wont verify Exchange account
    ... Interestingly enough..I ran nslookup on the machine and I did get an error. ... I found that my DNS server was configured a little strangely. ... If you open the 'Network Connections' folder then select the ... > The web has plenty of info for using this command as its not a Microsoft ...
    (microsoft.public.exchange.admin)
  • Re: W2K3 Enterprise R2 servers not accessible
    ... "Are you able to resolve their IP addresses using ... I have gone to a DOS prompt on my server in Domain B. I type nslookup and ... it now brings back the DNS server information. ...
    (microsoft.public.windows.server.dns)
  • Re: Extend existing domain to a new DC build at a branch office
    ... here's exactly what I've been putting into NSLookup and what ... works -- it checks for a reverse record for THE DNS server you ... Term Services to access other member servers in Toronto to perform ... Chicago DNS ...
    (microsoft.public.windows.server.active_directory)
  • Re: DNS Error 4015
    ... For DC SRVs registration. ... Review the output of the previous SRV query and determine if further action ... >> nslookup epc-domain.local ... >> Make sure the DC is using only the internal DNS server for the AD domain, ...
    (microsoft.public.windows.server.dns)