2
2
I'm at work connected to workdomain.com
I use a client VPN connection to connect to homelab.com
Now if I ipconfig /all
I get:
Windows IP Configuration
Host Name . . . . . . . . . . . . : WORKSTATION
Primary Dns Suffix . . . . . . . : workdomain.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : workdomain.com
homelab.com
Ethernet adapter VPN Client: (virtual NIC)
Connection-specific DNS Suffix . : homelab.com
Description . . . . . . . . . . . : VPN Client Adapter
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.homelab.69(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : 192.168.homelab.router
DHCP Server . . . . . . . . . . . : 192.168.homelab.dnsserver
DNS Servers . . . . . . . . . . . : 192.168.homelab.dnsserver
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Local Area Connection: (physical NIC)
Connection-specific DNS Suffix . : workdomain.com
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.workdomain.169(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 192.168.workdomain.dnsserver
DNS Servers . . . . . . . . . . . : 192.168.workdomain.dnsserver
NetBIOS over Tcpip. . . . . . . . : Enabled
But now, if I nslookup workdomain.com
I get:
Server: UnKnown
Address: 192.168.homelab.dnsserver
Non-authoritative answer:
Name: workdomain.com
Address: 63.230.public.ip
Since I am connected to both workdomain.com
and homelab.com
, I was expecting the DNS subsystem to be smart enough that it could say "Hey, I'm connected directly to the network that manages that server! I could ask their DNS server directly, and get an authoritative answer!" (This would give me the internal IP address for that server)
It seems what is happening tho is it's sending the query thru the VPN pipe to dns.homelab.com
, which then forwards it out to WAN DNS, which then responds with the non-authoritative public IP for workdomain.com
.
I know even with multiple DNS servers configured, it is normal that a client will choose a single one, send its DNS query, and even if the server responds that it could not be found, it will accept the answer and not try any other DNS servers it may have configured.
But, if I try nslookup workdomain.com dns.workdomain.com
I get:
Server: dns.workdomain.com
Address: 192.168.workdomain.dnsserver
Name: workdomain.com
Address: 192.168.workdomain.dnsserver
(this is what I was expecting, what I want to happen!)
My questions are:
Is this the expected behavior of DNS clients on multiple domains, with multiple DNS Search Suffixes configured? Is it normal that even when connected directly to the workdomain.com
network, and the domain search suffix is listed in the DNS Suffix Search List, that my client machine still route it's DNS query to dns.homelab.com
? Why doesn't it recognize it's already on that network and try to get an authoritative answer?
Is there a configuration that will make my workstation use the local DNS server for *.workdomain.com
queries? This is the behavior I was expecting. I'm studying for exams on this so it's as important for me to understand why as well as know how to change it.
Does the client VPN connection change WORKSTATION's preference of DNS server? If so, that may be o.k. for me. I'm trying to ensure our field service technicians can connect to our network from a customer site (which will likely have it's own domain suffix). If the client VPN connection automatically assumes the DNS server at the end of the pipe as priority, they should have no problem connecting to our internal resources.
Thank you! Thank you!
I'm running Win 7 SP1 Ultimate build 7601
on WORKSTATION.workdomain.com
btw.
EDIT:
So, I gave one scenario where this behavior could be an issue. You've already got our first use-case: a field service technician at customer site needs to access both internal customer domain resources and our resources here thru a VPN client connection, but customer-domain DNS requests are being routed around WAN.
But now let me offer another use-case that could have some more meaning to you! Say I'm back at home now connected to homelab.com
and have my own personal resources I like to run, say a unsecured Wiki web server port 80, and a media server with SMB file shares and FTP and such. Now for my own personal privacy, I use a 3rd-party VPN service for my WAN connection. Now, I want to be able to access the internet securely & privately thru VPN, however I definitely do not want my DNS requests for server.homelab.com
or even ftp.homelab.com
(!) routed around the internet for who knows to see!!
There's gotta be a way for the DNS or TCP/IP subsystems to be smart enough to prefer a direct LAN connection over a client VPN connection. Or, and this was my first question, is this expected behavior here??
I would try removing your generic DNS search list and use connection specific suffixes. If the machine is on a domain you'll find that suffix remains, but remove what you can. If this works I'll explain what's happening – roaima – 2015-07-21T20:23:23.227
Haven't configured any other DNS suffix names myself. As far as I can tell I only have the "Connection-specfic DNS Suffix"'s which came from the DHCP servers. If I
ipconfig /release
thenipconfig /renew
I can see all the DNS suffixes go away, then come back again new from the DHCP server. There are other options under DNS I don't fully understand: [checkbox] "Append parent suffixes of the primary DNS suffix" Wut? How can I tell which it thinks is the parent suffix, and which it thinks is the primary DNS suffix? – IT Bear – 2015-07-21T21:13:03.570Could IP address conflicts from the remote network play any part here? Say if both networks operated on 192.168.1.x/24 ? – IT Bear – 2015-07-21T21:14:52.353