[Vpn-help] DNS setting doesn't work in 2.0.0

Matthew Grooms mgrooms at shrew.net
Wed Sep 26 10:08:12 CDT 2007 

Tai-hwa Liang wrote:
> Hi,
> 
>    I'm using ShrewVPN 2.0.0 on Windows XP to connect to a ipsec-tools-0.6.7
> FreeBSD gateway.  It turns out that after connected to the gateway,
> the DNS settings are not updated:
> 
> C:\> ipconfig/all
> .
> .
> Ethernet adapter {0AE43808-97E4-4B98-8017-EC4A87E0CCCA}:
>  	Connection-specific DNS Suffix  . :
>  	Description . . . . . . . . . . . : Shrew Soft Virtual Adapter - 
> Packet Scheduler Miniport
>  	Physical Address. . . . . . . . . : AA-AA-AA-AA-AA-00
>  	Dhcp Enabled. . . . . . . . . . . : No
>  	IP Address. . . . . . . . . . . . : 192.168.123.2
>  	Subnet Mask . . . . . . . . . . . : 255.255.255.0
>  	Default Gateway . . . . . . . . . : 192.168.123.2
>  	Primary WINS Server . . . . . . . : 192.168.0.5
> 
>    As you may aware, the WINS server(configured as "Obtained Automatically")
> address is correct but there is no "DNS Servers" in aforementioned output
> even if I uncheck the "Obtained Automatically" box and specify "DNS Server 
> Address" manually.
> 

This is a side effect of having Split DNS enabled. Since the windows DNS 
resolver has no concept of forwarding a request to a specific DNS server 
based on the Domain Name suffix, all requests must come from one 
adapter. The Shrew Soft DNS Transparent Proxy Daemon intercepts the DNS 
requests, examines them and forwards to the appropriate DNS server.

There are a few drawbacks.

1) The VPN Client doesn't disable Split DNS when split domain suffixes 
are not supplied ( automatically or manually ). With this in mind, the 
DTPD service will never redirect any traffic to the tunnel specific DNS 
server if no domain suffixes are available to match.

2) Since the Shrew Soft client uses the public DNS server as the 
"primary" DNS interface when Split DNS is enabled, it cant set the 
Domain name suffix for the adapter. This is due to a Microsoftism where 
you have to down the adapter and bring it back up for these setting to 
take effect :/

To work around (1), add a Split DNS suffix that matches your default DNS 
domain.

To work around (1) & (2), disable Split DNS which allows a virtual 
adapter to be "primary" for DNS.

The situation will improve for the 2.1 release.

-Matthew

More information about the vpn-help mailing list