[vpn-help] DNS server preference

lst_hoe02 at kwsoft.de lst_hoe02 at kwsoft.de
Wed Oct 6 02:29:12 CDT 2010


Zitat von Matthew Grooms <mgrooms at shrew.net>:

> On 10/1/2010 3:15 PM, lst_hoe02 at kwsoft.de wrote:
>> Zitat von Matthew Grooms <mgrooms at shrew.net>:
>>
>>> On 9/28/2010 3:40 PM, lst_hoe02 at kwsoft.de wrote:
>>>> Hello
>>>>
>>>> we like to set for all VPN users a "prefered" internal DNS-server to
>>>> resolve internal addresses and external ones. Unfortunately it seems
>>>> that after bringing up the VPN still the DNS server assigned to the
>>>> Windows LAN Interface is used. This is especially annoying with provider
>>>> which lie about non-existing domains to redirect to some search page.
>>>>
>>>> Details:
>>>>
>>>> Client OS Windows XP-SP3 with ShrewSoft VPN Client 2.1.6 and a virtual
>>>> interface with manual assigned IP address and DNS server. No Split DNS
>>>> or search suffix set. Name resolution by hand works fine across the
>>>> tunnel but as said the DNS server assigned by DHCP to the Windows LAN
>>>> Interface is used first.
>>>>
>>>> Any chance to get the VPN DNS Server as prefered??
>>>>
>>>
>>> Hi Andreas,
>>>
>>> How do you have DNS configured on the client OS? Is "Append primary
>>> and connection specific DNS suffixes" or "Append these DNS suffixes (
>>> in order )" selected under the advanced TCP/IP settings DNS tab?
>>>
>>> -Matthew
>>
>> The "Append primary and connection specific DNS suffixes" are set
>> (default) but are all empty. The "Append these DNS suffixes" is
>> unchecked. The LAN interface is set by DHCP from a ADSL Router
>> (default-gw, DNS-proxy) with the NS point to the router device which in
>> turn does NS lookups against the NS assigned from the DSL Provider.
>>
>
> Andreas,
>
> Are you able to resolve DNS names that can only be resolved via the  
> tunnel specific DNS server? If so, what leads you to believe that  
> the system is resolving DNS names using the adapters default DNS  
> server?
>
> -Matthew

Hello

The problem arises with providers spoofing DNS answers like german  
t-Online. If a name does not exist in DNS like  
"name.internal.our.domain" they answer with an A record for their  
search site instead of providing no answer. This lead to internal  
systems being unreachable because the second DNS (across the VPN) is  
not asked in this case because the first one already delivered a  
(wrong) answer.
That's why i like to force the DNS server accross VPN to be the  
prefered (eg. asked first) or the only one used.

Many Thanks

Andreas



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6046 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.shrew.net/pipermail/vpn-help/attachments/20101006/b8deb4e3/attachment.bin>


More information about the vpn-help mailing list