1

It was tough for me to think of a title for this question, so please bear with me.

My laptop running Windows 8.1 Pro connects to my home network using a wireless router/gateway that also provides Internet access. The IP address of my router/gateway is 192.168.0.254. The router/gateway uses a Windows Server 2012 R2 machine at 192.168.0.1 as its DNS server. The Windows DNS server uses 8.8.8.8 and 8.8.4.4 respectively. I use my laptop to connect to an L2TP/IPsec VPN hosted on a Linux instance in an Amazon VPC. The VPC's network is 10.0.0.0/16. All of this works perfectly--split tunneling using DHCP server static routes, communication with instances inside VPC, etc. However, I have noticed some strange route traces and I need to get to the bottom of what they mean.

My VPN connection has a registered DNS suffix--let's say mycompany.com. I am using Amazon Route 53 to resolve queries for *.mycompany.com. Again, all of this works. The problem is that route traces to hosts other than *.mycompany.com are showing an Amazon host as somehow being involved in the routing!

Here's an example of a route trace I think is correct. Note the latency, indicating packets are traveling over the WAN as expected. Also note the IP address 172.16.0.0, which is the IP address of the VPN server's TAP interface, and which is also used by the DHCP server and NAT:

> tracert someinstance.mycompany.com

Tracing route to someinstance.mycompany.com [10.0.1.5]
over a maximum of 30 hops:
  1    86 ms    86 ms    87 ms  ip-172-16-0-0.us-west-2.compute.internal [172.16.0.0]

Here's an example of a strange route trace:

> tracert google.com

Tracing route to google.com [173.194.33.166]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  ip-192-168-0-254.us-west-2.compute.internal [192.168.0.254]

What's strange is ip-192-168-0-254.us-west-2.compute.internal, specifically 192-168-0-254... That's the IP address of my home router! Also note the latency of less than 1 ms.

And finally, > route print:

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.0.254    192.168.0.113     10
         10.0.0.0      255.255.0.0         On-link      172.16.0.163     11
     10.0.255.255  255.255.255.255         On-link      172.16.0.163    266
       <redacted>  255.255.255.255    192.168.0.254    192.168.0.113     11
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
       172.16.0.0      255.255.0.0          1.0.0.1     172.16.0.163     11
     172.16.0.163  255.255.255.255         On-link      172.16.0.163    266
      192.168.0.0    255.255.255.0         On-link     192.168.0.113    266
    192.168.0.113  255.255.255.255         On-link     192.168.0.113    266
    192.168.0.255  255.255.255.255         On-link     192.168.0.113    266
    192.168.137.0    255.255.255.0         On-link     192.168.137.1    261
    192.168.137.1  255.255.255.255         On-link     192.168.137.1    261
  192.168.137.255  255.255.255.255         On-link     192.168.137.1    261
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     192.168.0.113    266
        224.0.0.0        240.0.0.0         On-link     192.168.137.1    261
        224.0.0.0        240.0.0.0         On-link      172.16.0.163    266
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     192.168.0.113    266
  255.255.255.255  255.255.255.255         On-link     192.168.137.1    261
  255.255.255.255  255.255.255.255         On-link      172.16.0.163    266

<redacted> is the public IP address of my VPN server.

What's going on here? Why is an Amazon hostname being constructed with my local gateway's IP address? Is something wrong with my VPN connection or is this all normal?

NathanAldenSr
  • 365
  • 1
  • 2
  • 10

1 Answers1

1

Everything seems normal.
When you trace someinstance.mycompany.com the routing travels via VPN as specified in this rule:

    10.0.0.0      255.255.0.0         On-link      172.16.0.163     11

while when you trace anything outside the VPN, it uses instead the normal gateway set by this rule:

0.0.0.0 0.0.0.0 192.168.0.254 192.168.0.113 10

so the 1st hop of the trace will be your gateway address (your router).

About the name resolution, from the informations you posted, I think is not possible to see if your internal DNS or host file is able to resolve both your VPN IP and your default gateway (your router). I suggest you look at the host file and the zones of your DNS for that.

SteDf
  • 56
  • 3
  • I think what may be happening here is `tracert` is detecting--correctly--that the first hop is my router/gateway at `192.168.0.254`. Then, it does a reverse lookup in an attempt to discover the host name. The reverse lookup fails with Google's DNS (obviously), so it's then tried over Amazon's DNS (`10.0.0.2`) through my VPN. Amazon's DNS appears to resolve pretty much every IP to a hostname that includes the IP number. In other words, my routes are perfect--it's just `tracert` trying to be helpful. :) – NathanAldenSr Feb 26 '15 at 14:54