G
GeekMarine1972
Platform: Windows XP SP2
Configuration: Local network connection + MS VPN connection to remote
location (i.e. PPTP or L2TP using MS client / server).
Issue Summary:
Ipconfig shows 2 interfaces, local ethernet and vpn pptp. Both show an
ip address considered local, both list DNS servers. First interface
lists IP address of 192.168.200.2, default gateway 192.168.200.1, DNS
server 192.168.200.1. It is connected to a home firewall / router that
proxies DNS requests (typical for most home use firewall / routers.
Abnoxiously, the DNS server on the firewall does not provide
configuration of DNS servers). So yes, the firewall is one source of
annoyance but not entirely. Second interface PPP adapter with Ip
address of 10.0.0.33, gateway 10.0.0.33 (typical for VPN client), and
lists 2 DNS servers 10.0.0.2 and 10.10.0.3.
The problem arises when a users enters ANY url into or run NSLookup,
the first DNS server query is those tied to the local interface, not
the VPN. If the local adapter's DNS servers are not on the local
network, requests are still sent to it, but in many cases time out or
fail, and requests are then sent to the DNS servers tied to the VPN
adapter.
This causes issues with split DNS. If the local adapter's DNS queries
are sent to the firewall which proxies and send back a response, the
result of the DNS query is the public IP address for a resource, when
the expectation is that DNS queries will go to the VPN DNS server first
and return the private IP address. Because local adapter DNS is
queried first, things like shortname resolution to access file shares
fails.
This appears to have broken in SP2 of Windows XP, with RASPPP.DLL
5.1.2600.2180 dated Tuesday, August 03, 2004, 11:56:44 PM.
Is there a registry hack to modify the resolver order. My current work
around is to assign a non local DNS server manually to the local
adapter and then set the timeout for dns cache and dns resolution down
to 1 second. Seems to function but not really an attractive solution.
The obvious preference would be that the PPP adapter be treated as
local and it's DNS entries treated as preferential.
If it makes any difference, the local adapter is wireless, but I am
fairly certain it behaves the same way on wired adapters.
Paul V.
Configuration: Local network connection + MS VPN connection to remote
location (i.e. PPTP or L2TP using MS client / server).
Issue Summary:
Ipconfig shows 2 interfaces, local ethernet and vpn pptp. Both show an
ip address considered local, both list DNS servers. First interface
lists IP address of 192.168.200.2, default gateway 192.168.200.1, DNS
server 192.168.200.1. It is connected to a home firewall / router that
proxies DNS requests (typical for most home use firewall / routers.
Abnoxiously, the DNS server on the firewall does not provide
configuration of DNS servers). So yes, the firewall is one source of
annoyance but not entirely. Second interface PPP adapter with Ip
address of 10.0.0.33, gateway 10.0.0.33 (typical for VPN client), and
lists 2 DNS servers 10.0.0.2 and 10.10.0.3.
The problem arises when a users enters ANY url into or run NSLookup,
the first DNS server query is those tied to the local interface, not
the VPN. If the local adapter's DNS servers are not on the local
network, requests are still sent to it, but in many cases time out or
fail, and requests are then sent to the DNS servers tied to the VPN
adapter.
This causes issues with split DNS. If the local adapter's DNS queries
are sent to the firewall which proxies and send back a response, the
result of the DNS query is the public IP address for a resource, when
the expectation is that DNS queries will go to the VPN DNS server first
and return the private IP address. Because local adapter DNS is
queried first, things like shortname resolution to access file shares
fails.
This appears to have broken in SP2 of Windows XP, with RASPPP.DLL
5.1.2600.2180 dated Tuesday, August 03, 2004, 11:56:44 PM.
Is there a registry hack to modify the resolver order. My current work
around is to assign a non local DNS server manually to the local
adapter and then set the timeout for dns cache and dns resolution down
to 1 second. Seems to function but not really an attractive solution.
The obvious preference would be that the PPP adapter be treated as
local and it's DNS entries treated as preferential.
If it makes any difference, the local adapter is wireless, but I am
fairly certain it behaves the same way on wired adapters.
Paul V.