common dns issues in vpn networking

8/13/2019 Common DNS Issues in VPN Networking

1/53

mon DNS Issues in VPN Networking

/www.isaserver.org/img/upl/vpnkitbeta2/dnsvpn.htm[5/6/2013 21:53:43]

OMMON DNS ISSUES IN VPN NETWORKING

NS issues comprise a major portion of connectivity problems related to ISA Server 2000 firewalls and VPN servers. ISA Server rewall/VPN servers and clients use DNS host name resolution to resolve both internal and external network names. While anyscussion of DNS has the potential to become overly complex, there are some common DNS issues related to ISA Server rewall/VPN server clients that can be solved relatively easily.

We will discuss the following subjects in this ISA Server 2000 VPN Deployment Kit document:

VPN client DNS problemsVPN gateway DNS problemsConfiguring an internal DNS server to resolve Internet DNS host namesConfiguring a caching-only DNS server on the ISA Server firewall/VPN server Configuring DNS settings on VPN and internal network clients

PN Client DNS Problems

PN client DNS name resolution issues include:

VPN clients unable to resolve internal network namesVPN clients unable to resolve Internet host names

PN Clients Unable to Resolve Internal Network Names

nternal network names are computer and other device names on your internal network. VPN clients connect to the ISA Server rewall/VPN server with the goal of accessing resources on the internal network. VPN clients will not be able to access thesesources using a DNS host name if the client cannot properly resolve that name to an IP address.

he following is a list of the most common internal network DNS name resolution problems and solutions encountered for VPNients.

VPN clients not assigned DNS server address VPN clients will not be able to resolve DNS host names on the internal network if they are not assigned a DNS server address

by the ISA Server firewall/VPN server. In most cases, the VPN client already has a DNS server address assigned to it.However, that DNS server address does not resolve names on the corporate network because that DNS server is intended toresolve names on the network the VPN client computer is attached to before connecting to the ISA firewall/VPN server, or toresolve only Internet host names. The solution to this problem is to configure the ISA Server firewall/VPN server to assign a DNS server address to the VPNclients. ISA Server 2000 VPN Deployment Kit documents Configuring the DHCP Relay Agent t o Support VPN ClientTCP/IP Addressing Options and Configuring the Windows Server 2003 ISA Server 2000/VPN Server describe how toassign name server addresses of DNS server on the internal network that can resolve internal network DNS host names. VPN client assigned incorrect DNS server address The VPN client that cannot resolve internal network names may have been assigned an incorrect DNS server address. Checkthe DNS server address assigned to the VPN client. If an incorrect address was assigned to the client, make the appropriatecorrection at either the DHCP server or the internal interface of the ISA Server firewall/VPN server. Split tunneling is enabled

Split tunneling is enabled when the VPN client is not required to use the VPN virtual PPP interface at its default gateway. Thisallows the VPN client to directly access both the Internet and the corporate network. It is possible that when the VPN client isnot configured to use the default gateway on the remote network that name resolution will fail for internal network resources. The solution to this problem is to disable split tunneling and force firewall policy on the VPN clients using the proceduresdescribed in ISA Server 2000 VPN Deployment Kit document Forcing Firewall Policy on VPN Clients .
http://www.isaserver.org/img/upl/vpnkitbeta2/dhcprelay.htmhttp://www.isaserver.org/img/upl/vpnkitbeta2/dhcprelay.htmhttp://www.isaserver.org/img/upl/vpnkitbeta2/configisavpn.htmhttp://www.isaserver.org/img/upl/vpnkitbeta2/configisavpn.htmhttp://www.isaserver.org/img/upl/vpnkitbeta2/vpnfirewallpolicy.htmhttp://www.isaserver.org/img/upl/vpnkitbeta2/vpnfirewallpolicy.htmhttp://www.isaserver.org/img/upl/vpnkitbeta2/configisavpn.htmhttp://www.isaserver.org/img/upl/vpnkitbeta2/dhcprelay.htmhttp://www.isaserver.org/img/upl/vpnkitbeta2/dhcprelay.htm


2/53



VPN client cannot resolv e unqualified names

An unqualified DNS query is one where the query is for a computer name without the domain name. For example, the VPNclient may wish to use the Web browser to access a Web server on the internal network. The user types in the URLhttp://SERVER1 and is unable to connect. The DNS resolver software on the VPN client must be able to append a DNS suffix to the computer name before sending thename for resolution. If the resolver is unable to append a domain name, it will forward the unqualified request to the DNSserver for resolution. Unless the DNS server is configured with a WINS referral zone that can resolve these kinds of unqualifiedrequests, the name resolution attempt will fail and so will the connection.

Note:Please refer to Configuring DNS client settings for more information on the Windows Server 2003 DNS resolver. The VPN clients should be configured with a primary domain name that it can append to unqualified requests. There areseveral methods you can use to assigned a domain name to the VPN client:

Join the VPN client to the internal network domain. This will assign the VPN client a primary domain name which is thesame as the internal network domain. Use the procedures described in ISA Server 2000 VPN Deployment Kit documenConfiguring VPN Clients to Support Network Browsing and Forcing Firewall Policy on VPN ClientsUse a DHCP server and the DHCP Relay Agent to assign a domain name to the VPN client when the VPN client connectsusing the procedures described in ISA Server 2000 VPN Deployment Kit document Configuring the DHCP Relay Agent

to Support VPN Client TCP/IP Addressing Option sManually assign the VPN client a domain name to be used in resolving unqualified requests by either assigning a primarydomain name or by using a DNS suffix search list.

Note:Please refer to How to Configure a Domain Suffix Search List on the Domain Name System Clients for moreinformation on how to configure a DNS suffix search list on VPN client adapters

VPN client resolves in ternal network names to external addresses Many organizations use the same domain name for internal and external network resources. For example, you may host apublic DNS server named www.internal.net . The server is accessible from the Internet by connecting to its public IP address.Internal network clients can also connect to the same server by using the same name, www.internal.net . When a VPN clienttries to connect to www.internal.net , it is unable to connect to the server by that name on the internal network, or it connects tothe public server by the same name. The problem is that the VPN client is trying to resolve internal network names using a public DNS server. This can happenwhen the VPN client is not assigned an internal network DNS server address, or assigned no DNS server address at all by theVPN server. The solution to this problem is to confirm that the VPN clients are assigned a DNS server address that can resolve internalnetwork names.

PN Clients Unable to Resolve Internet Host Names

VPN clients not assigned DNS server address

VPN clients depend on the ISA Server firewall to grant them access to the Internet when split tunneling is disabled, asdescribed in ISA Server 2000 VPN Deployment Kit article Forcing Firewall Policy on VPN Clients . If VPN clients aregranted access to the Internet via the ISA Server firewall, then the problem is related to the ISA Server firewall being unable toresolve Internet host names. The solution is to configure the ISA Server firewall with a DNS server address that can resolve Internet DNS host names.

VPN clients assigned inc orrect DNS server address

VPN clients may be assigned an incorrect DNS server address. This could be due to typing in an incorrect DNS server addresson the internal interface of the ISA Server firewall/VPN server, or from typing the incorrect address in the DHCP scope option.
http://server1/http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/sag_DNS_imp_ConfiguringClients.asphttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/sag_DNS_imp_ConfiguringClients.asphttp://www.tacteam.net/isaserverorg/vpnkitbeta2/vpnclientbrowsing.htmhttp://www.tacteam.net/isaserverorg/vpnkitbeta2/vpnfirewallpolicy.htmhttp://www.tacteam.net/isaserverorg/vpnkitbeta2/dhcprelay.htmhttp://www.tacteam.net/isaserverorg/vpnkitbeta2/dhcprelay.htmhttp://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q275/5/53.ASP&NoWebContent=1http://www.internal.net/http://www.internal.net/http://www.internal.net/http://www.internal.net/http://www.isaserver.org/img/upl/vpnkitbeta2/vpnfirewallpolicy.htmhttp://www.isaserver.org/img/upl/vpnkitbeta2/vpnfirewallpolicy.htmhttp://www.internal.net/http://www.internal.net/http://www.internal.net/http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q275/5/53.ASP&NoWebContent=1http://www.tacteam.net/isaserverorg/vpnkitbeta2/dhcprelay.htmhttp://www.tacteam.net/isaserverorg/vpnkitbeta2/dhcprelay.htmhttp://www.tacteam.net/isaserverorg/vpnkitbeta2/vpnfirewallpolicy.htmhttp://www.tacteam.net/isaserverorg/vpnkitbeta2/vpnclientbrowsing.htmhttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/sag_DNS_imp_ConfiguringClients.asphttp://server1/


3/53



The solution is to confirm that a correct DNS server address is assigned to the VPN clients.

VPN clients assigned to DNS server that cannot resolve Internet Host names

VPN clients may be assigned a valid DNS server address, but the DNS server is not correctly configured to resolve Internethost names. You may think the solution to this problem is to configure the VPN clients to use another DNS server or tocorrectly configure the internal DNS server to resolve Internet DNS host names, but this is not the case. VPN clients with split tunneling disabled must used the ISA Server firewall to access the Internet and the ISA Server firewallmust resolve Internet names on behalf of the VPN clients. The solution to this problem is to configure the ISA Server firewall/VPN server to use a DNS server that can resolve Internet host names.

Note:The procedure for configuring an internal network DNS server to resolve Internet DNS host names is described later in thisISA Server 2000 VPN Deployment Kit document.

ISA Server firewall/VPN Server config ured w ith DNS server address th at cannot resolv e Internet ho st names

This is the core problem in all instances where the VPN clients that are configured as Web Proxy or Firewall clients. Both WebProxy and Firewall clients allow the ISA Server firewall/VPN server to resolve Internet DNS host names on their behalf. Pleaserefer to ISA Server 2000 VPN Deployment Kit article Forcing Firewall Policy on VPN Clients for detailed instructions onhow to configure the VPN clients as Firewall and Web Proxy clients.

PN Gateway DNS Prob lems

NS host name resolution problems in a VPN gateway to gateway configuration center around similar problems that arencountered with VPN clients:

Local and Remote network hosts cannot resolve internal network namesLocal and Remote network hosts cannot resolve Internet host names

ocal and Remote Network Hosts Cannot Resolve Internal Network Names

he following is a list of the most common internal network name DNS resolution problems and solutions encountered in VPNateway to gateway link environments:

Network hosts are not configured with a DNS server address

Internet network hosts must be configured with a DNS server address that can resolve internal network names on both sides of the gateway to gateway VPN link. If hosts on the opposite side of the VPN gateway to gateway link belong to a differentdomain, then you will need to configure the internal network clients to use a DNS server that can resolve names for all internalnetwork domains. You can use stub zones or zone delegation to accomplish this task depending on the specifics of your internal network environment.

Note:Please refer to Delegate the DNS Zone for the Window s Server 2003 Domain for more information on how to performzone delegations. Please refer to Support WebCast: Microsoft Windows Server 2003 DNS: Stub Zones andConditional Forwarding for more information on Windows Server 2003 stub zone configuration.

Network hosts configured with incorrect DNS server address

Internal network hosts may be configured with an incorrect DNS server address. Check that the address was typed in correctlyand that the DNS server is able to resolve names for all internal network domains.

Network hosts are not configured with a DNS server that can resolve internal network names

Internal network hosts may have been inadvertently been configured to use a DNS server that can only resolve Internet hostnames. This is most commonly seen the internal network is based on the SecureNAT client configuration and the SecureNATclients are configured to use the ISPs DNS server for name resolution. The ISPs DNS server has no knowledge of the internal
http://www.isaserver.org/img/upl/vpnkitbeta2/vpnfirewallpolicy.htmhttp://www.isaserver.org/img/upl/vpnkitbeta2/Delegate%20the%20DNS%20Zone%20for%20the%20Windows%20Server%202003%20Domainhttp://www.isaserver.org/img/upl/vpnkitbeta2/Delegate%20the%20DNS%20Zone%20for%20the%20Windows%20Server%202003%20Domainhttp://support.microsoft.com/default.aspx?scid=/servicedesks/webcasts/wc012103/wcblurb012103.asphttp://support.microsoft.com/default.aspx?scid=/servicedesks/webcasts/wc012103/wcblurb012103.asphttp://support.microsoft.com/default.aspx?scid=/servicedesks/webcasts/wc012103/wcblurb012103.asphttp://support.microsoft.com/default.aspx?scid=/servicedesks/webcasts/wc012103/wcblurb012103.asphttp://www.isaserver.org/img/upl/vpnkitbeta2/Delegate%20the%20DNS%20Zone%20for%20the%20Windows%20Server%202003%20Domainhttp://www.isaserver.org/img/upl/vpnkitbeta2/vpnfirewallpolicy.htm


4/53



network domain and cannot resolve names on your internal network. The solution is to configure internal network clients with a DNS server address that can resolve both internal and externalnetwork names.

ocal and Remote Network Hosts Cannot Resolve Internet Host Names

he following is a list of the most common internal network name DNS resolution problems and solutions encountered in VPNateway to gateway link environments:

Network hosts not assigned a DNS server address

Not all internal network clients need to be assigned a DNS server address. If the internal network hosts are not a member of aWindows 2000 or Windows Server 2003 domain, computers configured as Web Proxy and/or Firewall clients can have the ISAServer firewall/VPN server resolve Internet DNS host names on behalf of these clients and therefore they do not need a hardcoded DNS server address. SecureNAT clients must be configured with the address of a DNS server that can resolve Internet DNS host names. Thereason is that the ISA Server firewall/VPN gateway will not resolve names on behalf of SecureNAT clients.

Network hosts not assigned a DNS server address that can resolve Internet host names

Internal network clients may be configured with a DNS server that is not configured to resolve Internet DNS host names, or theDNS server is incorrectly configured. The solution is to change the DNS server address on the clients to a DNS server that canresolve Internet host names or correct the configuration on the DNS server that should have been able to resolve the names.

ISA Server/VPN gateway registers its virtual IP address in t he dynamic DNS

If the ISA Server firewall/VPN server is also configured as a domain controller or dynamic DNS server, then the virtual PPPadapter interface address will be registered in the DNS for the name of the ISA Server firewall/VPN server. This can preventInternet access by Web Proxy and Firewall clients because these ISA Server client types depend on name resolution to contactthe ISA Server firewall/VPN server for outbound access to the Internet.

Note:Please refer to Routing and Remote Access IP Addresses Register in DNS and Name Resolution and Connectivity

Issues on Windows 2000 Domain Controller with Routing and Remote Access and DNS Installed for more details othis problem.

onfigurin g an Internal DNS Server to Resolve Internet Host Names

n existing DNS server can be configured to resolve Internet DNS host names for internal network clients. DNS security bestractices dictate that internal network DNS servers should avoid direct contact with Internet DNS servers. This is especially thease when internal network DNS servers host resource records for the internal network domains.

ou can configure internal DNS servers to resolve Internet host names and avoid contact with external DNS servers by configuringem to use the ISA Server firewall/VPN server as a DNS forwarder. We will discuss configuring the internal network DNS server to

se the ISA Server firewall/VPN server as a DNS forwarder in this ISA Server 2000 VPN Deployment Kit document.

Note :The internal network DNS server is located on an internal network domain controller. It is particularly important for a DNSserver co-located on an internal domain controller to avoid direct contact with an Internet DNS server.

1. Click Start and point to Admini st rat ive Tools . Click on the DNS entry in the Admini st rat ive Too ls menu. In the DNSManagement console, click on your server name, then right click on the server name. Click on the Properties comman(figure 1).

igure 1 (fig139)
http://support.microsoft.com/?kbid=289735http://support.microsoft.com/?kbid=289735http://support.microsoft.com/default.aspx?scid=kb;en-us;292822http://support.microsoft.com/default.aspx?scid=kb;en-us;292822http://support.microsoft.com/default.aspx?scid=kb;en-us;292822http://support.microsoft.com/default.aspx?scid=kb;en-us;292822http://support.microsoft.com/?kbid=289735


5/53


6/53



3. Click on the Forwarders tab (figure 3). You can configure a DNS forwarder address on the Forwarders tab. Enter the IPaddress of the DNS forwarder you want to use in the Select domains forwarder IP address list text box, then click the

Add button to add it to the list of DNS forwarders. The DNS forwarder can be your ISPs DNS server or your ISA Server firewall/VPN server if it has been configured as acaching-only DNS forwarder. In this example we will configure this DNS server located on the domain controller to use theISA Server firewall/VPN server as a DNS forwarder. Later in this ISA Server 2000 VPN Deployment Kit document we wconfigure the ISA Server firewall/VPN server to be a caching-only DNS server. Put a checkmark in the Do not use recursion for this domain . When you select this option, you place the entireresponsibility for Internet DNS host name resolution on the forwarder. If the forwarder cannot resolve the name, then thename resolution failure is communicated to the client system that issued the DNS query. If you allow recursion, then this DNS server will try to resolve the name itself after it receives the name resolution failuremessage from its forwarder. Its unlikely that that this internal DNS server will be able to resolve the name if the forwarder cannot and allowing this DNS server to perform recursion after the forwarder fails to do so can slow down the return of DNS name resolution failure messages to DNS clients on the internal network.

igure 3 (fig141)


7/53



4. Click on the Advanced tab (figure 4). Notice there is a Server options entry named Disable recursion (also disablesforwarders) . This entry has quite a different meaning then the Do not use recursion for this domain option we saw inthe figure above. Do not select the Disable recursion (also disables forwarders) option. If you select this option, then this DNS server could not resolve Internet DNS host names and could only return answers for domains that it was authoritative for. TheDisable recursion (also disables forwarders) option is a good option to select when you are publishing a public DNSserver when configuring a split DNS infrastructure, but it is not a viable option when you want to use this DNS server toresolve Internet DNS host name.

Note : A split DNS infrastructure allows you to return different IP addresses to public and private network hosts for the sameresources that are under your administrative control. The split DNS infrastructure is beyond the scope of this ISA Server 200VPN Deployment K it article. For more information on split DNS design, please refer to this TechNet DNS Infrastructu reDesign article.

igure 4 (fig142)
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/idc/rag/ragc02.asphttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/idc/rag/ragc02.asphttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/idc/rag/ragc02.asphttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/idc/rag/ragc02.asp


8/53



5. Click on the Root Hints tab (figure 5). On the Root Hints tab you see the entries for the Internet Root DNS servers. TheDNS server uses this list of DNS server addresses to perform recursion. We recommend that you do not allow the internnetwork DNS server to perform recursion, so this list will not be used by this server to resolve Internet DNS host names.

igure 5 (fig143)


9/53



6. Click on the Monitoring tab (figure 6). Put a checkmark in the A simple query agains t th is DNS s erver checkbox andclick the Test Now button. You should see a Pass entry in the Simple Query column. Remove the checkmark in the Asimple query against this DNS server checkbox and then put a checkmark in the A recursive query to other DNSservers checkbox. Click the Test Now button. You should see a Pass entry in the Recursiv e Query column. The simple query tests whether the DNS server can resolve names for domains that its authoritative for. The Recursivequery tests whether this server can resolve names, such as Internet DNS host names, for which this DNS server is notauthoritative.

Note :You should get Pass entries on the DNS tests if you have configured the DNS server to use your ISPs DNS server as itsforwarder and you have created a DNS query Protocol Rule to allow the DNS server to send outbound DNS queries to theInternet. If you are using the ISA Server firewall/VPN server as your DNS forwarder, and you have not yet configured the ISAServer firewall/VPN server as a caching-only DNS server, then your tests will fail. The tests will succeed after the caching-onlyDNS server is installed and configured on the ISA Server firewall/VPN server.

igure 6 (fig144)


10/53



onfigurin g th e ISA Server Firewall/VPN Server as a Caching -only Internet DNS Host Name Resolver

ou may prefer to use the ISA Server firewall/VPN computer as your Internet DNS host name resolver. There are severaldvantages to using the ISA Server firewall/VPN server as your Internet DNS host name resolver:

You do not expose your internal network DNS servers to Internet traffic You expose your private DNS servers to potential attack from Internet intruders when internal network DNS servers are used toresolve both internal and external network names. The most dangerous example is when the internal network DNS server islocated on a domain controller. An optimal security configuration prevents external hosts from contacting any internal networkdomain controller and any DNS server authoritative for internal network DNS domains.

The ISA Server firewall/VPN server based DNS server c ontains n o internal network h ost records The DNS server located on the ISA Server firewall/VPN server is installed and configured as a caching-only DNS server. Thecaching-only DNS server is not authoritative for any zone on the internal or external network. This type of DNS server can use

a forwarder, a forwarder and recursion, or recursion only, to resolve Internet DNS host names. The caching-only DNS server caches the results of the DNS query and returns the cached result to the next host making a request for the same InternetDNS host name.

Note:DNS recursion involves multiple queries to internal based DNS servers beginning with the Internet Root DNS Server addresses. These addresses are contained in the Root Hints file on the caching-only DNS server. Please refer toWindows Server 2003 Help for more information about caching only DNS servers and DNS recursion.

The ISA Server firewall/VPN server based DNS server c an resolve internal network names with t he help of a stub z The ISA Server firewall/VPN server computer must be able to resolve both internal and external host names. The ISA Server
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/sag_DNS_imp_ManagingServers.asphttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/sag_DNS_imp_ManagingServers.asp


11/53



component must be able to resolve Internet DNS host names on behalf of Firewall and Web Proxy clients. The ISA Server component must also be able to resolve internal network names in order to located Active Directory domain controllers andother resources.

A modified caching-only DNS server can be configured with a DNS stub zone containing enough information about internalnetwork domains to allow the ISA Server firewall to resolve internal and Internet host names for Web Proxy and Firewallclients. The DNS stub zone contains only three resource records: A Name Server (NS) record, a Start of Authority (SOA) record, and aHost (A) record, sometimes referred to as a glue record. The glue record allows the DNS server to resolve the name

associated with the NS record.

Note:Stub zones have a number of uses. In the scenario discussed in this ISA Server 2000 VPN Deployment Kit documentthe stub zone is used to resolve names on the internal network. Please refer to Windows Server 2003 Help for moreinformation on stub zones.

The ISA Server firewall/VPN server can use a forwarder, use a forwarder and perform recursion on its own, or performrecursion without the use of a forwarder

A forwarder is a DNS server that resolves names for another DNS server. The DNS server located on the ISA Server firewall/VPN server can be configured to use a DNS server, such as your ISPs DNS server, to resolve Internet DNS hostnames for it. When the forwarder resolves the name, it sends the result to the DNS server on the ISA Server firewall/VPNserver and the caching-only DNS server caches the result and sends the answer to the host on the internal network. The caching-only DNS server can be configured to use a forwarder and perform recursion. When you allow the caching-onlyDNS server configured to use a forwarder to perform recursion, the caching-only server will attempt to resolve the name itselfthe forwarder is not successful in resolving an Internet DNS host name. You usually do not want to allow the caching-onlyDNS server to perform recursion because it slows down the return host not found errors to the internal network clients.However, you may consider this option if you do not trust the reliability of your forwarders. You have the option to configure the caching-only DNS server located on the ISA Server firewall/VPN server to use recursionwithout the aid of a DNS forwarder. In this case, the caching-only DNS server uses the Root Hints file to query Internet RootServers to resolve Internet DNS host names on its own. Allowing your DNS server to perform recursion can expose it to a largenumber of Internet-based DNS servers and may increase the risk of DNS related attacks.

his ISA Server 2000 VPN Deployment Kit document covers the following procedures that allow you to run a caching-only DNSn the ISA Server firewall/VPN server:

Installing the DNS server service on the ISA Server firewall/VPN server Creating the reverse lookup stub zone Creating the forward lookup stub zone Creating the DNS TCP port 53 packet filter on the ISA Server firewall/VPN server

nstalling the DNS Server Service on the ISA Server Firewall/VPN Server

erform the following steps on the ISA Server firewall/VPN server to configure the caching-only DNS server:

1. Click Start and point to Control Panel . Click the Add or Remove Programs entry in the list. In the Add or RemovePrograms window, click on the Add/Remove Wi ndows Componen ts button on the left side of the window (figure 7).

igure 7 (fig100)
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/sag_DNS_imp_StubZones.asphttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/sag_DNS_imp_StubZones.asphttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/sag_DNS_imp_StubZones.asp


12/53



2. In the Windows Components dialog box, select the Network Services entry in the Components list (but do not put acheckmark in the checkbox!). Then click the Details button (figure 8).

igure 8 (fig101)


13/53



3. In the Networki ng Services dialog box, put a checkmark in the Domain Name System (DNS) checkbox. Click OK (figu9).

igure 9 (fig102)


14/53



4. Click Next in the Windows Components dialog box (figure 10).

igure 10 (fig103)


15/53



5. Click Finish on the Completing the Windows Components Wizard dialog box (figure 11) after the DNS server service isinstalled.

igure 11 (fig104)


16/53



ou do not need to restart the ISA Server firewall/VPN server. The DNS service can now be configured with one or more stubones that allow it to forward DNS queries for internal network domains to the appropriate DNS servers on the internal network.

here are no internal network resource records contained in these stub zones that could potentially put your internal network atgnificant risk. It is safe to include these stub zones on the caching-only DNS server.

he first stub zone you create is the reverse lookup zone stub zone. In our current example, the internal network uses network ID0.0.0.0/8. Well create a reverse lookup zone for this network ID.

reating the Reverse Lookup Stub Zone

1. Click Start , point to Admini st rat ive Too ls and click on the DNS entry in the Admini st rat ive Tools menu (figure 12).

igure 12 (fig105)


17/53



2. In the DNS Management console, click on the Reverse Look up Zones node and then right click on it. Click the NewZone command (figure 13).

igure 13 (fig106)


18/53



3. Click Next on the Welcome to the New Zone Wizard page (figure 14).

igure 14 (fig107)


19/53



4. Select the Stub zone option on the Zone Type page (figure 15). Note the description of a stub zone: Creates a copy of a zone containing only Name Server (NS), Start of Author ity (SOA), and pos sibly glue Host (A)records. A server containing a stub zone is not authoritative for that zone You can think of the stub zone as a referral zone, where is refers queries for the zone to another DNS server for resolution. In the present case of our caching-only DNS server, the caching-only DNS server caches the results after receiving the answers to the referred DNS queries and returns these cached answers for subsequent queries.

igure 15 (fig108)


20/53



5. Select the Network ID option on the Reverse Lookup Zone Name page (figure 16). Type in your network ID in the textbox under this option. Note that you are not creating a new reverse lookup zone on the caching-only DNS server, you areproviding information that is used to obtain information from a DNS server that is authoritative for this reverse lookup zone.Click Next .

igure 16 (fig109)


21/53



6. The Create a new file with this file name option is selected by default and the name of the zone file is automaticallyentered for you on the Zone File page (figure 17). Do not make any changes on this page and click Next .

igure 17 (fig110)


22/53


23/53



8. Review your settings on the Completing t he New Zone Wizard page and click Finish to create the new stub reverselookup zone (figure 19).

igure 19 (fig112)


24/53



9. If you see an error message indicating that the DNS server could not be contacted, right click the stub reverse lookupzone in the right pane of the console and click the Transfer from Master command. Click the Refresh button on thebutton bar after transferring the zone from the master. It may take a few moments to contact the master server and obtainthe required resource record information.

Note :You do not need to wait for all records contained in the reverse lookup zone to be transferred to the stub reverse lookup zone.Only the Start of Authority (SOA) and Name Server (NS) records need to be transferred. If you continue to see an error message and do not see these records in the right pane of the console, use the Reload from Master command and thenclose and reopen the DNS Management console.

igure 20 (fig113)


25/53



he next step is to create the forward lookup stub zone.

reating the Forward Lookup Stub Zone

1. In the DNS Management console, click on the Forward Lookup Zone node in the left pane of the console and then rightclick on it. Click on the New Zone command (figure 21).

igure 21 (fig114)


26/53



2. Click Next on the Welcome to the New Zone Wizard page (figure 22).

igure 22 (fig115)


27/53



3. Select the Stub zone option on the Zone type page (figure 23). Remember that this stub zone contains only threerecords: Name Server (NS)Start of Authority (SOA)Host (A) glue record Click Next .

igure 23 (fig116)


28/53



4. Type in the name of internal network domain on the Zone Name page (figure 24). This is the same name as the zoneyouve created on your internal network DNS servers. Click Next .

igure 24 (fig117)


29/53



5. The Create a new file with this file name is selected by default on the Zone File page (figure 25). The name of the file isautomatically entered for you. Make no changes on this page and click Next .

igure 25 (fig118)


30/53



6. Type in the address of the internal network DNS server that is authoritative for this DNS zone in the IP address text boon the Master DNS Servers page (figure 26). Click Add to add the address to the list of authoritative DNS servers. If thisDNS server cannot contact the server on top of the list, it will forward the queries to the next server on the list and so on.Click Next .

igure 26 (fig119)


31/53



7. Review your settings on the Completing t he New Zone Wizard page and then click Finish (figure 27).

igure 27 (fig120)


32/53



8. If the SOA, NS and A records do not appear in the right pane of the console, right click on an empty area in the rightpane and click the Transfer from Master command (figure 28). Wait a few moments and then click the Refresh buttonthe consoles button bar.

igure 28 (fig121)


33/53



he caching-only DNS server now has a forward and reverse lookup zone. This allows the DNS server to resolve names on theternal network without requiring this server to host the internal network domains DNS resource records.

onfiguring DNS Forwarders, Recursion and the Root Hints File

he optimal configuration for your caching-only DNS server is to limit the amount of exposure it has to Internet DNS servers. Youan limit its exposure and improve performance at the same time by using your ISPs DNS server are a forwarder. Assuming thatou have a good quality ISP, advantages of using your ISPs DNS server as a forwarder include:

The DNS cache on the ISPs DNS server is much larger than the cache on your own server The ISPs DNS server is expertly secured from Internet-based attacks targeted against DNS serversMost ISPs keep their DNS servers on network. On network DNS servers are on the ISPs network which allows quick roundtrip times for DNS query messages

We believe configuring the caching-only DNS server on the ISA Server firewall/VPN server to use your ISPs DNS server as aorwarder is the best option in terms of both security and performance. However, if you do not trust your ISP or have had negativexperiences with their DNS servers, you can configure the caching-only DNS server on the ISA Server firewall/VPN server toerform recursion and contact Internet DNS servers directly to resolve Internet DNS host names.

We discuss both options in the following procedures:

1. In the DNS Management console, right click on your server name and click the Properties command (figure 29).

igure 29 (fig122)


34/53



2. In the DNS server Properties dialog box, click on the Interfaces tab (figure 30). Select the Only the following IPaddresses option. Our goal is to have this caching-only DNS server located on the ISA Server firewall/VPN server listenfor DNS queries on its internal interface only . We do not want this caching-only DNS server to be accept DNS queries onits external interface. Click on an address that is not bound to the internal interface of the ISA Server firewall/VPN server, then click RemoveRepeat this for all addresses that are not bound to the internal interface. If you have multiple addresses bound to theinternal interface of the ISA Server firewall/VPN server, remove all but one of them and use that address to listen for DNSqueries. Click Apply after removing the extra addresses.

igure 30 (fig123)


35/53



3. Only a single IP address, bound to the internal interface of the ISA Server firewall/VPN server is seen on the list of listening IP addresses (figure 31).

igure 31 (fig124)


36/53



4. Click on the Forwarders tab (figure 32). Type the IP address of your ISPs DNS server in the Selected do mainsforwarder IP address list text box and then click Add . The address will then appear in the list of forwarder IP addresses.Your ISP should have at least two public DNS servers. Enter both of those addresses to your list of forwarders. Put a checkmark in the Do not use recursion for this domain checkbox. This prevents the caching-only DNS server from using information in its Root Hints file to perform recursion on its own and resolve Internet DNS host names bycontacting Internet DNS servers itself. The point of using a forwarder in our scenario is to prevent the caching-only DNSserver from contacting untrusted DNS servers; you must select this checkbox to prevent it from contacting untrusted DNSservers. Click Apply after entering your forwarders and enabling the checkbox.

Note:There are other ways you can leverage your caching-only forwarder configuration. If you have other DNS servers in your organization, such as a DNS resolver on a DMZ segment, you can configure the caching-only DNS server on the ISA Server firewall/VPN server to use the resolver on the DMZ as its forwarder. For more information on split DNS, split- split DNS, DNSresolvers and DNS advertisers, please see You Need Create a Split DNS! By Dr. Thomas W Shinder.

igure 32 (fig125)
http://www.isaserver.org/tutorials/You_Need_to_Create_a_Split_DNS.htmlhttp://www.isaserver.org/tutorials/You_Need_to_Create_a_Split_DNS.html


37/53



5. Click on the Advanced tab (figure 33). Note the Disable recursion (also disables forwarders) option. Do not enable option. If you enable this option, the caching-only DNS server wont be able to resolve Internet DNS host names. Thisoption forces the DNS server to answer DNS queries for domains that its authoritative for . Since this is a caching-onlyDNS server, its not authoritative for any domains.

igure 33 (fig126)


38/53



6. Click on the Root Hints tab (figure 34). Here is a list of Internet Root DNS servers in the Name servers frame. The DNserver can use this list of Internet Root DNS servers to perform recursion on its own without the aid of a forwarder. When the DNS server performs recursion to resolve an Internet DNS host name (such as www.microsoft.com), thefollowing sequence of events takes place: The caching-only DNS server sends a query for www.microsoft.com to one of the Internet Root DNS servers listed in

the Root Hints file The Internet Root DNS server sends back a referral record to the caching-only DNS server. This referral record has

the address or addresses of DNS servers responsible for the COM top level domain. The caching-only DNS server sends a query for www.microsoft.com to the DNS servers responsible for the COM

domain. The COM domain DNS servers return a referral record with the addresses of the DNS servers responsible for the microsoft.com domain.

The caching-only DNS server sends a query for www.microsoft.com to the DNS servers responsible for themicrosoft.com domain.

The microsoft.com DNS servers are authoritative for the microsoft.com domain. They return an IP address for the hostwww.microsoft.com to the caching-only DNS server.

The caching-only DNS server places the answer in its DNS and forwards the answer to the host that sent the originalquery.

You can see from this example that the Internet Root DNS server, the COM DNS server, and the microsoft.com DNSservers were contacted. You may consider using recursion as a backup method, but the preferred backup method for the caching-only DNS server on the ISA Server firewall/VPN server is to configure multiple DNS forwarders.

igure 34 (fig127)
http://www.microsoft.com/http://www.microsoft.com/http://www.microsoft.com/http://www.microsoft.com/http://www.microsoft.com/http://www.microsoft.com/http://www.microsoft.com/http://www.microsoft.com/http://www.microsoft.com/http://www.microsoft.com/http://www.microsoft.com/


39/53


40/53



8. Expand the Cached Lookup s node and then expand the .(root) node. Expand one of the top level domain nodes. Youllsee a list of second level domain names. Click on one of the second level domain names and youll see specific DNSresource record information in the right pane of the console (figure 36).

igure 36 (fig129)


41/53



he next step is to create a packet filter to support DNS queries that need to use TCP instead of UDP.

onfigurin g a DNS Zone Transfer Packet Filter

he IIS SMTP service uses TCP instead of UDP as the default transport protocol for DNS queries. Even outside of the IIS SMTPervice, it is normal for DNS queries to use TCP when the data in the DNS message does not fit into a single UDP packet.

erform the following steps to create a packet filter to support the use of TCP port 53 for DNS queries:

1. In the ISA Management console, expand your server name and then expand the Access Pol icy node. Right click on theIP Packet Filters node, point to New and click on Filter .

igure 37 (fig130)


42/53



2. Type in a name for the packet filter in the Welcome to the New IP Packet Filter Wizard dialog box (figure 38). In thisexample well call it DNS (TCP) . Click Next .

igure 38 (fig131)


43/53



3. Select Al low packet tr ansmiss ion on the Filter Mode page (figure 39). Click Next .

igure 39 (fig132)


44/53



4. Select the Custom option on the Filter Type page (figure 40). Click Next .

igure 40 (fig133)


45/53



5. On the Filter Settings page (figure 41), configure the following settings:

IP protocol: TCPDirection: OutboundLocal Port: All portsRemote port: Fixed port Click Next .

igure 41 (fig134)


46/53



6. Select the Default IP addresses fo r each external interface of the ISA Server comp uter option on the LocalComputer page (figure 42) and click Next .

igure 42 (fig135)


47/53



7. Select the Al l remote c omputer s option on the Remote Computers page (figure 43) and click Next .

igure 43 (fig136)


48/53



8. Review your settings on the Completing the New IP Packet Filter Wizard page (figure 44). Click Finish .

igure 44 (fig137)


49/53



9. Test your ability to resolve DNS names. Open a command prompt on the ISA Server firewall/VPN server. Type nslookuat the command prompt and press ENTER. Type set typ e=mx and press ENTER. Type microsoft.com. (make sure toinclude the trailing period) and press ENTER. You should see a list of MX records for the microsoft.com domain.

igure 45 (fig138)


50/53



lose the command prompt. The ISA Server firewall/VPN Server can now resolve Internet Host names using the caching only DNSrver.

onfigurin g the DNS Settings for VPN and Internal Network Clients

10. xx

11. xx

12. xx

13. xx

14. xx


51/53



15. xx

16. xx

17. xx

18. xx

19. xx

20. xx

21. xx

22. xx

23. xx

24. xx

25. xx

26. xx

27. xx

28. xx

29. xx


52/53



30. xx

31. xx

32. xx

33. xx

34. xx

35. xx

36. xx

37. xx

38. xx

39. xx

40. xx

41. xx

42. xx

43. xx

44. xx


53/53


45. xx

46. xx

47. xx

48. xx

49. xx

50. xx

common dns issues in vpn networking

Documents