Common DNS Issues in VPN Networking

 

DNS issues comprise a major portion of connectivity problems related to ISA Server 2000 firewalls and VPN servers. ISA Server firewall/VPN servers and clients use DNS host name resolution to resolve both internal and external network names. While any discussion of DNS has the potential to become overly complex, there are some common DNS issues related to ISA Server firewall/VPN server clients that can be solved relatively easily.

 

We will discuss the following subjects in this ISA Server 2000 VPN Deployment Kit document:

 

• VPN client DNS problems
• VPN gateway DNS problems
• Configuring an internal DNS server to resolve Internet DNS host names
• Configuring a caching-only DNS server on the ISA Server firewall/VPN server
• Configuring DNS settings on VPN and internal network clients

 

VPN Client DNS Problems

 

VPN client DNS name resolution issues include:

 

• VPN clients unable to resolve internal network names
• VPN clients unable to resolve Internet host names

 

VPN Clients Unable to Resolve Internal Network Names

 

Internal network names are computer and other device names on your internal network. VPN clients connect to the ISA Server firewall/VPN server with the goal of accessing resources on the internal network. VPN clients will not be able to access these resources using a DNS host name if the client cannot properly resolve that name to an IP address.

 

The following is a list of the most common internal network DNS name resolution problems and solutions encountered for VPN clients.

 

·         VPN clients not assigned DNS server address

 

VPN clients will not be able to resolve DNS host names on the internal network if they are not assigned a DNS server address by the ISA Server firewall/VPN server. In most cases, the VPN client already has a DNS server address assigned to it. However, that DNS server address does not resolve names on the corporate network because that DNS server is intended to resolve names on the network the VPN client computer is attached to before connecting to the ISA firewall/VPN server, or to resolve only Internet host names.

 

The solution to this problem is to configure the ISA Server firewall/VPN server to assign a DNS server address to the VPN clients. ISA Server 2000 VPN Deployment Kit documents Configuring the DHCP Relay Agent to Support VPN Client TCP/IP Addressing Options and Configuring the Windows Server 2003 ISA Server 2000/VPN Server describe how to assign name server addresses of DNS server on the internal network that can resolve internal network DNS host names.

 

·         VPN client assigned incorrect DNS server address

 

The VPN client that cannot resolve internal network names may have been assigned an incorrect DNS server address. Check the DNS server address assigned to the VPN client. If an incorrect address was assigned to the client, make the appropriate correction at either the DHCP server or the internal interface of the ISA Server firewall/VPN server.

 

·         Split tunneling is enabled

 

Split tunneling is enabled when the VPN client is not required to use the VPN virtual PPP interface at its default gateway. This allows the VPN client to directly access both the Internet and the corporate network. It is possible that when the VPN client is not configured to use the default gateway on the remote network that name resolution will fail for internal network resources.

 

The solution to this problem is to disable split tunneling and force firewall policy on the VPN clients using the procedures described in ISA Server 2000 VPN Deployment Kit document Forcing Firewall Policy on VPN Clients.

 

·         VPN client cannot resolve unqualified names

 

An unqualified DNS query is one where the query is for a computer name without the domain name. For example, the VPN client may wish to use the Web browser to access a Web server on the internal network. The user types in the URL http://SERVER1 and is unable to connect.

 

The DNS resolver software on the VPN client must be able to append a DNS suffix to the computer name before sending the name for resolution. If the resolver is unable to append a domain name, it will forward the unqualified request to the DNS server for resolution. Unless the DNS server is configured with a WINS referral zone that can resolve these kinds of unqualified requests, the name resolution attempt will fail and so will the connection.

 

       Note:
Please refer to Configuring DNS client settings for more information on the Windows Server 2003 DNS resolver.

 

The VPN clients should be configured with a primary domain name that it can append to unqualified requests. There are several methods you can use to assigned a domain name to the VPN client:

 

• Join the VPN client to the internal network domain. This will assign the VPN client a primary domain name which is the same as the internal network domain. Use the procedures described in ISA Server 2000 VPN Deployment Kit documents Configuring VPN Clients to Support Network Browsing and Forcing Firewall Policy on VPN Clients
• Use a DHCP server and the DHCP Relay Agent to assign a domain name to the VPN client when the VPN client connects using the procedures described in ISA Server 2000 VPN Deployment Kit document Configuring the DHCP Relay Agent to Support VPN Client TCP/IP Addressing Options
• Manually assign the VPN client a domain name to be used in resolving unqualified requests by either assigning a primary domain name or by using a DNS suffix search list.

 

       Note:
Please refer to How to Configure a Domain Suffix Search List on the Domain Name System Clients for more information on how to configure a DNS suffix search list on VPN client adapters

 

·         VPN client resolves internal network names to external addresses

 

Many organizations use the same domain name for internal and external network resources. For example, you may host a public DNS server named www.internal.net. The server is accessible from the Internet by connecting to its public IP address. Internal network clients can also connect to the same server by using the same name, www.internal.net. When a VPN client tries to connect to www.internal.net, it is unable to connect to the server by that name on the internal network, or it connects to the public server by the same name.

 

The problem is that the VPN client is trying to resolve internal network names using a public DNS server. This can happen when the VPN client is not assigned an internal network DNS server address, or assigned no DNS server address at all by the VPN server.

 

The solution to this problem is to confirm that the VPN clients are assigned a DNS server address that can resolve internal network names.

 

VPN Clients Unable to Resolve Internet Host Names

 

·         VPN clients not assigned DNS server address

 

VPN clients depend on the ISA Server firewall to grant them access to the Internet when split tunneling is disabled, as described in ISA Server 2000 VPN Deployment Kit article Forcing Firewall Policy on VPN Clients. If VPN clients are granted access to the Internet via the ISA Server firewall, then the problem is related to the ISA Server firewall being unable to resolve Internet host names.

 

The solution is to configure the ISA Server firewall with a DNS server address that can resolve Internet DNS host names.

 

·         VPN clients assigned incorrect DNS server address

 

VPN clients may be assigned an incorrect DNS server address. This could be due to typing in an incorrect DNS server address on the internal interface of the ISA Server firewall/VPN server, or from typing the incorrect address in the DHCP scope option. The solution is to confirm that a correct DNS server address is assigned to the VPN clients.

 

·         VPN clients assigned to DNS server that cannot resolve Internet Host names

 

VPN clients may be assigned a valid DNS server address, but the DNS server is not correctly configured to resolve Internet host names. You may think the solution to this problem is to configure the VPN clients to use another DNS server or to correctly configure the internal DNS server to resolve Internet DNS host names, but this is not the case.

 

VPN clients with split tunneling disabled must used the ISA Server firewall to access the Internet and the ISA Server firewall must resolve Internet names on behalf of the VPN clients. The solution to this problem is to configure the ISA Server firewall/VPN server to use a DNS server that can resolve Internet host names.

 

       Note:
The procedure for configuring an internal network DNS server to resolve Internet DNS host names is described later in this ISA Server 2000 VPN Deployment Kit document.

 

·         ISA Server firewall/VPN Server configured with DNS server address that cannot resolve Internet host names

 

This is the core problem in all instances where the VPN clients that are configured as Web Proxy or Firewall clients. Both Web Proxy and Firewall clients allow the ISA Server firewall/VPN server to resolve Internet DNS host names on their behalf. Please refer to ISA Server 2000 VPN Deployment Kit article Forcing Firewall Policy on VPN Clients for detailed instructions on how to configure the VPN clients as Firewall and Web Proxy clients.

 

VPN Gateway DNS Problems

 

DNS host name resolution problems in a VPN gateway to gateway configuration center around similar problems that are encountered with VPN clients:

 

• Local and Remote network hosts cannot resolve internal network names
• Local and Remote network hosts cannot resolve Internet host names

 

Local and Remote Network Hosts Cannot Resolve Internal Network Names

 

The following is a list of the most common internal network name DNS resolution problems and solutions encountered in VPN gateway to gateway link environments:

 

·         Network hosts are not configured with a DNS server address

 

Internet network hosts must be configured with a DNS server address that can resolve internal network names on both sides of the gateway to gateway VPN link. If hosts on the opposite side of the VPN gateway to gateway link belong to a different domain, then you will need to configure the internal network clients to use a DNS server that can resolve names for all internal network domains. You can use stub zones or zone delegation to accomplish this task depending on the specifics of your internal network environment.

 

       Note:
Please refer to Delegate the DNS Zone for the Windows Server 2003 Domain for more information on how to perform zone delegations. Please refer to Support WebCast: Microsoft Windows Server 2003 DNS: Stub Zones and Conditional Forwarding for more information on Windows Server 2003 stub zone configuration.

 

·         Network hosts configured with incorrect DNS server address

 

Internal network hosts may be configured with an incorrect DNS server address. Check that the address was typed in correctly and that the DNS server is able to resolve names for all internal network domains.

 

·         Network hosts are not configured with a DNS server that can resolve internal network names

 

Internal network hosts may have been inadvertently been configured to use a DNS server that can only resolve Internet host names. This is most commonly seen the internal network is based on the SecureNAT client configuration and the SecureNAT clients are configured to use the ISP’s DNS server for name resolution. The ISP’s DNS server has no knowledge of the internal network domain and cannot resolve names on your internal network.

 

The solution is to configure internal network clients with a DNS server address that can resolve both internal and external network names.

 

Local and Remote Network Hosts Cannot Resolve Internet Host Names

 

The following is a list of the most common internal network name DNS resolution problems and solutions encountered in VPN gateway to gateway link environments:

 

·         Network hosts not assigned a DNS server address

 

Not all internal network clients need to be assigned a DNS server address. If the internal network hosts are not a member of a Windows 2000 or Windows Server 2003 domain, computers configured as Web Proxy and/or Firewall clients can have the ISA Server firewall/VPN server resolve Internet DNS host names on behalf of these clients and therefore they do not need a “hard coded” DNS server address.

 

SecureNAT clients must be configured with the address of a DNS server that can resolve Internet DNS host names. The reason is that the ISA Server firewall/VPN gateway will not resolve names on behalf of SecureNAT clients.

 

·         Network hosts not assigned a DNS server address that can resolve Internet host names

 

Internal network clients may be configured with a DNS server that is not configured to resolve Internet DNS host names, or the DNS server is incorrectly configured. The solution is to change the DNS server address on the clients to a DNS server that can resolve Internet host names or correct the configuration on the DNS server that should have been able to resolve the names.

 

·         ISA Server/VPN gateway registers its virtual IP address in the dynamic DNS

 

If the ISA Server firewall/VPN server is also configured as a domain controller or dynamic DNS server, then the virtual PPP adapter interface address will be registered in the DNS for the name of the ISA Server firewall/VPN server. This can prevent Internet access by Web Proxy and Firewall clients because these ISA Server client types depend on name resolution to contact the ISA Server firewall/VPN server for outbound access to the Internet.

 

       Note:
Please refer to Routing and Remote Access IP Addresses Register in DNS and Name Resolution and Connectivity Issues on Windows 2000 Domain Controller with Routing and Remote Access and DNS Installed for more details on this problem.

 

Configuring an Internal DNS Server to Resolve Internet Host Names

 

An existing DNS server can be configured to resolve Internet DNS host names for internal network clients. DNS security best practices dictate that internal network DNS servers should avoid direct contact with Internet DNS servers. This is especially the case when internal network DNS servers host resource records for the internal network domains.

 

You can configure internal DNS servers to resolve Internet host names and avoid contact with external DNS servers by configuring them to use the ISA Server firewall/VPN server as a DNS forwarder. We will discuss configuring the internal network DNS server to use the ISA Server firewall/VPN server as a DNS forwarder in this ISA Server 2000 VPN Deployment Kit document.

 

       Note:
The internal network DNS server is located on an internal network domain controller. It is particularly important for a DNS server co-located on an internal domain controller to avoid direct contact with an Internet DNS server.

 

1.       Click Start and point to Administrative Tools. Click on the DNS entry in the Administrative Tools menu. In the DNS Management console, click on your server name, then right click on the server name. Click on the Properties command (figure 1).

 

Figure 1 (fig139)

 

2.       In the server Properties dialog box, click on the Interfaces tab (figure 2). It’s important that you have explicit knowledge of the IP address on which the DNS server answers DNS queries.

 

The best way to accomplish this goal is to select the Only the following IP addresses option. View the list of IP addresses in the list and remove all addresses except for the primary IP address bound to the interface on this server. In this example all IP addresses have been removed except for the 10.0.0.2 entry. Use the Remove button to remove any IP addresses that you do not want on the list.

 

Figure 2 (fig140)

 

3.       Click on the Forwarders tab (figure 3). You can configure a DNS forwarder address on the Forwarders tab. Enter the IP address of the DNS forwarder you want to use in the Select domain’s forwarder IP address list text box, then click the Add button to add it to the list of DNS forwarders.

 

The DNS forwarder can be your ISP’s DNS server or your ISA Server firewall/VPN server if it has been configured as a caching-only DNS forwarder. In this example we will configure this DNS server located on the domain controller to use the ISA Server firewall/VPN server as a DNS forwarder. Later in this ISA Server 2000 VPN Deployment Kit document we will configure the ISA Server firewall/VPN server to be a caching-only DNS server.

 

Put a checkmark in the Do not use recursion for this domain. When you select this option, you place the entire responsibility for Internet DNS host name resolution on the forwarder. If the forwarder cannot resolve the name, then the name resolution failure is communicated to the client system that issued the DNS query.

 

If you allow recursion, then this DNS server will try to resolve the name itself after it receives the name resolution failure message from its forwarder. Its unlikely that that this internal DNS server will be able to resolve the name if the forwarder cannot and allowing this DNS server to perform recursion after the forwarder fails to do so can slow down the return of DNS name resolution failure messages to DNS clients on the internal network.

 

Figure 3 (fig141)

 

4.       Click on the Advanced tab (figure 4). Notice there is a Server options entry named Disable recursion (also disables forwarders). This entry has quite a different meaning then the Do not use recursion for this domain option we saw in the figure above.

 

Do not select the Disable recursion (also disables forwarders) option. If you select this option, then this DNS server could not resolve Internet DNS host names and could only return answers for domains that it was authoritative for. The Disable recursion (also disables forwarders) option is a good option to select when you are publishing a public DNS server when configuring a split DNS infrastructure, but it is not a viable option when you want to use this DNS server to resolve Internet DNS host name.

 

       Note:
A split DNS infrastructure allows you to return different IP addresses to public and private network hosts for the same resources that are under your administrative control. The split DNS infrastructure is beyond the scope of this ISA Server 2000 VPN Deployment Kit article. For more information on split DNS design, please refer to this TechNet DNS Infrastructure Design article.

 

Figure 4 (fig142)

 

5.       Click on the Root Hints tab (figure 5). On the Root Hints tab you see the entries for the Internet Root DNS servers. The DNS server uses this list of DNS server addresses to perform recursion. We recommend that you do not allow the internal network DNS server to perform recursion, so this list will not be used by this server to resolve Internet DNS host names.

 

Figure 5 (fig143)

 

6.       Click on the Monitoring tab (figure 6). Put a checkmark in the A simple query against this DNS server checkbox and click the Test Now button. You should see a Pass entry in the Simple Query column. Remove the checkmark in the A simple query against this DNS server checkbox and then put a checkmark in the A recursive query to other DNS servers checkbox. Click the Test Now button. You should see a Pass entry in the Recursive Query column.

 

The simple query tests whether the DNS server can resolve names for domains that it’s authoritative for. The Recursive query tests whether this server can resolve names, such as Internet DNS host names, for which this DNS server is not authoritative.

 

       Note:
You should get Pass entries on the DNS tests if you have configured the DNS server to use your ISP’s DNS server as its forwarder and you have created a DNS query Protocol Rule to allow the DNS server to send outbound DNS queries to the Internet. If you are using the ISA Server firewall/VPN server as your DNS forwarder, and you have not yet configured the ISA Server firewall/VPN server as a caching-only DNS server, then your tests will fail. The tests will succeed after the caching-only DNS server is installed and configured on the ISA Server firewall/VPN server.

 

Figure 6 (fig144)

 

 

Configuring the ISA Server Firewall/VPN Server as a Caching-only Internet DNS Host Name Resolver

 

You may prefer to use the ISA Server firewall/VPN computer as your Internet DNS host name resolver. There are several advantages to using the ISA Server firewall/VPN server as your Internet DNS host name resolver:

 

·         You do not expose your internal network DNS servers to Internet traffic

 

You expose your private DNS servers to potential attack from Internet intruders when internal network DNS servers are used to resolve both internal and external network names. The most dangerous example is when the internal network DNS server is located on a domain controller. An optimal security configuration prevents external hosts from contacting any internal network domain controller and any DNS server authoritative for internal network DNS domains.

 

·         The ISA Server firewall/VPN server based DNS server contains no internal network host records

 

The DNS server located on the ISA Server firewall/VPN server is installed and configured as a caching-only DNS server. The caching-only DNS server is not authoritative for any zone on the internal or external network. This type of DNS server can use a forwarder, a forwarder and recursion, or recursion only, to resolve Internet DNS host names. The caching-only DNS server caches the results of the DNS query and returns the cached result to the next host making a request for the same Internet DNS host name.

 

       Note:
DNS recursion involves multiple queries to internal based DNS servers beginning with the Internet Root DNS Server addresses. These addresses are contained in the Root Hints file on the caching-only DNS server. Please refer to Windows Server 2003 Help for more information about caching only DNS servers and DNS recursion.

 

·         The ISA Server firewall/VPN server based DNS server can resolve internal network names with the help of a stub zone

 

The ISA Server firewall/VPN server computer must be able to resolve both internal and external host names. The ISA Server component must be able to resolve Internet DNS host names on behalf of Firewall and Web Proxy clients. The ISA Server component must also be able to resolve internal network names in order to located Active Directory domain controllers and other resources.

 

A modified caching-only DNS server can be configured with a DNS stub zone containing enough information about internal network domains to allow the ISA Server firewall to resolve internal and Internet host names for Web Proxy and Firewall clients.

 

The DNS stub zone contains only three resource records: A Name Server (NS) record, a Start of Authority (SOA) record, and a Host (A) record, sometimes referred to as a “glue” record. The glue record allows the DNS server to resolve the name associated with the NS record.

 

       Note:
Stub zones have a number of uses. In the scenario discussed in this ISA Server 2000 VPN Deployment Kit document the stub zone is used to resolve names on the internal network. Please refer to Windows Server 2003 Help for more information on stub zones.

 

·         The ISA Server firewall/VPN server can use a forwarder, use a forwarder and perform recursion on its own, or perform recursion without the use of a forwarder

 

A forwarder is a DNS server that resolves names for another DNS server. The DNS server located on the ISA Server firewall/VPN server can be configured to use a DNS server, such as your ISP’s DNS server, to resolve Internet DNS host names for it. When the forwarder resolves the name, it sends the result to the DNS server on the ISA Server firewall/VPN server and the caching-only DNS server caches the result and sends the answer to the host on the internal network.

 

The caching-only DNS server can be configured to use a forwarder and perform recursion. When you allow the caching-only DNS server configured to use a forwarder to perform recursion, the caching-only server will attempt to resolve the name itself if the forwarder is not successful in resolving an Internet DNS host name. You usually do not want to allow the caching-only DNS server to perform recursion because it slows down the return “host not found” errors to the internal network clients. However, you may consider this option if you do not trust the reliability of your forwarders.

 

You have the option to configure the caching-only DNS server located on the ISA Server firewall/VPN server to use recursion without the aid of a DNS forwarder. In this case, the caching-only DNS server uses the Root Hints file to query Internet Root Servers to resolve Internet DNS host names on its own. Allowing your DNS server to perform recursion can expose it to a large number of Internet-based DNS servers and may increase the risk of DNS related attacks.

 

This ISA Server 2000 VPN Deployment Kit document covers the following procedures that allow you to run a caching-only DNS on the ISA Server firewall/VPN server:

 

·         Installing the DNS server service on the ISA Server firewall/VPN server

·         Creating the reverse lookup stub zone

·         Creating the forward lookup stub zone

·         Creating the DNS TCP port 53 packet filter on the ISA Server firewall/VPN server

 

Installing the DNS Server Service on the ISA Server Firewall/VPN Server

 

Perform the following steps on the ISA Server firewall/VPN server to configure the caching-only DNS server:

 

1. Click Start and point to Control Panel. Click the Add or Remove Programs entry in the list. In the Add or Remove Programs window, click on the Add/Remove Windows Components button on the left side of the window (figure 7).

 

Figure 7 (fig100)

 

 

2. In the Windows Components dialog box, select the Network Services entry in the Components list (but do not put a checkmark in the checkbox!). Then click the Details button (figure 8).

 

Figure 8 (fig101)

 

3. In the Networking Services dialog box, put a checkmark in the Domain Name System (DNS) checkbox. Click OK (figure 9).

 

Figure 9 (fig102)

 

4. Click Next in the Windows Components dialog box (figure 10).

 

Figure 10 (fig1