[Vpn-help] 1.1.0 observation (bug? Maybe)

Peter Eisch peter at boku.net
Fri Oct 6 11:18:22 CDT 2006 

> -----Original Message-----
> From: Matthew Grooms [mailto:mgrooms at shrew.net] 
> Sent: Thursday, October 05, 2006 1:39 PM
> To: Peter Eisch
> Cc: vpn-help at lists.shrew.net
> Subject: Re: [Vpn-help] 1.1.0 observation (bug? Maybe)
> 
> Peter Eisch wrote:
> > I'm able to reproduce this with certainty though the number 
> or types 
> > of actions I need to do on the client systems before it 
> happens still 
> > eludes me.
> > 
> > On a *nix box, the solution is to specifically replace the 
> contents of 
> > resolv.conf with what is received in the isakmp setup.  How does 
> > windows manage different DNS servers on different interfaces?
> > 
> 
> Well, on windows the DNS settings are per adapter. But as far 
> as I know, when a new adapter becomes available the DNS 
> settings from that adapter are used exclusively. I don't 
> think it would fail over to another DNS adapters configured 
> DNS server unless the virtual adapters DNS server is unavailable.
> 
> > I can email full configs on client and server if you'd 
> like.  No magic 
> > or tricks on either side.  Server in this case is -current of 
> > ipsec-tools as of yesterday.  That doesn't seem to be 
> pertinent though 
> > as it's the client that's generating the requests to the 
> "wrong" nameserver.
> >
> 
> The client will proxy a request and send it to a local DNS 
> server if split DNS is enabled. You said you have this 
> disabled right? It may be a logic error in the client where 
> if the 'Enable Split DNS' is checked, 'Obtain Automatically' 
> is checked and the server doesn't provide a Split Domain 
> suffix list, all requests are being proxied to the local DNS 
> server because the question section doesn't match a tunnel 
> specific DNS suffix.
> 
> Can you try removing all Split DNS related checks for the 
> site config, do a ipconfig /flushdns, re-connect and let me 
> know if it fairs any better?
> 

Ok, back with these considerations some requests still leak back to the
LAN's DNS server.  I unchecked the related checkboxes for the "Enable Split
DNS" and did the /flushdns a noted.  Attached is the log, the config, and
the tcpdump of the requests that came out.  In this trace the queries to the
VPNs nameserver would have allowed it to talk to the domain controller's DNS
server (10.1.100.126).  When she dribbles out to the Internet nameserver
(204.130.132.3) for merom.VSI it totally loses it's association to the
domain.  It would be good for this to never happen.

peter

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: dump.txt
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20061006/a34ede50/attachment-0004.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: vpngw.vpn
Type: application/octet-stream
Size: 1015 bytes
Desc: not available
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20061006/a34ede50/attachment-0002.obj>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: logfile.txt
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20061006/a34ede50/attachment-0005.txt>

More information about the vpn-help mailing list