1

I have a very small company with just 1 server, a Windows Server 2008 R2, serving as an AD DS, DNS, WINS, DHCP, and now RRAS VPN. Not ideal, but it's what I have.

I recently turned on routing and remote access and established VPN access to the network. It's a PPTP connection, Win 7 client, that is working fine; it authenticates and routes and uses the DHCP server to get IP info.

Here's the issues I'm experiencing when trying to lookup names for computers on the network from a remote client, ping for example, "Ping request could not find host xxxx". I am able to ping those clients by IP address, so not a routing issue.

1) Failure with DNS: I have a DNS zone setup on the server, with a FQDN, "example.com", which works perfectly in the office. DHCP issues the address to this server, and adds the domain suffix "example.com". However, when using it from a remote client, it forwards the DNS request to a root server and returns the "@.example.com" external IP address. Used NSLookup, and confirmed, on-site, DNS lookup stays local; Off-site client, correct DNS server, but it forwards the query rather than resolve it. (SERVFAIL error in the DNS log)

2) Failure with WINS: The same server is running WINS, and appears to be working great. It's getting updates from the computers on the network including the RAS clients. Confirmed WINS server address is being delivered by DHCP to all clients. Also, RAS client does not have any other WINS servers.

3) NetBIOS -- Not an option, not routable, obsolete. Could use a host file, but that would not be ideal; but more importantly, DNS and WINS should both be working!

Thank you for your time and consideration, it's greatly appreciated!!

UPDATE #1

By manually changing the routing tables on the client, "Route Delete 0.0.0.0" and adding the default gateway on the internal VPN network it resolves names properly for both internal and external names. Here's the route table:

Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.10.1    192.168.10.56     11

However, when I set the "Use default gateway on remote network" option, in the IPv4 settings for the VPN client, the route print line looks like this:

Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.141   4236
          0.0.0.0          0.0.0.0      On-Link        192.168.10.55     11

and it does not route to the internet. I'm guessing this is probably a configuration error on the RRAS. Any ideas?

h0ckey09
  • 11
  • 3
  • Do you push your internal DNS when they connect in VPN ? – yagmoth555 Jul 13 '15 at 15:31
  • How are you assigning ip addresses to the VPN clients, with DHCP or a RRAS pool? What DNS server(s) does the RRAS server itself use? – joeqwerty Jul 13 '15 at 15:46
  • The remote clients are using the same DHCP server and settings as the internal clients, not using the RRAS pool. I have the DHCP relay agent setup in RRAS. The RRAS uses the same single DNS server on the network, itself. – h0ckey09 Jul 13 '15 at 16:04
  • Internally, do you push 2 DNS to your clients ? Best practice is to push only the AD's one, not a second one from the ISP. – yagmoth555 Jul 13 '15 at 17:58
  • I only push the one DNS server. I setup the DNS service with the two ISP DNS as forwarding servers. – h0ckey09 Jul 13 '15 at 18:04
  • Dods the issue is present for any and all remote clients? Did you try different remote locations? – Paolo Jul 13 '15 at 18:46
  • it's clear. the computer use is wifi, etc.. dns to resolve your enterprise dns's name. http://blogs.technet.com/b/rrasblog/archive/2009/03/17/remote-access-design-guidelines-part-4-ip-routing-and-dns.aspx and make the traffic by default use that vpn interface. if that answer you, let me know, will rewrite as a answer correctly. As, if the default route point to the wifi, anything get out by there, and the computer does not know that this is a dns entry for your vpn side. (as it get a DNS answer, so it does not try in the vpn.) – yagmoth555 Jul 13 '15 at 18:58
  • @Paolo, thanks for the suggestion. I did setup a connection (wired) on my home PC. It resolved all names to the external IP. I removed the domain suffix "example.com" from the DNS settings too, as a test, and it could only resolve the server's name. However, it resolved it to the bridge IP address, not it's configured IP address. As I understand it, RRAS creates a bridge called, "internal" that it uses to bridge the two networks. (Go to the "Details" tab of the connection properties while connected, and it's the "Server IPv4 Address" which it resolved.) – h0ckey09 Jul 13 '15 at 19:14
  • @yagmoth555 -- You're right, I was able to "route delete", "route add" the default gateway through the VPN, and it resolved the names correctly. However, do you know why WINS isn't working since it's the only WINS registration it has? Or which service gets priority in names resolution DNS or WINS? Thanks – h0ckey09 Jul 13 '15 at 19:37
  • Hi, as it get a DNS's answer in it's default route, it stop the lookup there. It never ask in your VPN's tunnel. RRAS seem to have a setting to make the client use the VPN by default, not the local internet. (or a quick fix would be to script something to set your DNS on is local internet connection) – yagmoth555 Jul 13 '15 at 19:40
  • @yagmoth555 - When I set the "Use default gateway on remote network" setting, I figured it would do the same as the route delete / route add... It actually doesn't route to the internet at all anymore. DNS lookup works for both internal and external names. Here's the route print: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.141 4236 0.0.0.0 0.0.0.0 On-link 192.168.10.55 11 – h0ckey09 Jul 13 '15 at 19:49
  • It's the solution you did like I told, but I think you can enforce that policy on the server directly. It will protect your sensitive data to when a user connect by VPN. – yagmoth555 Jul 14 '15 at 01:04

0 Answers0