DNS over VPN

jbartlett323

jbartlett323

Active Member
Reaction score
109
Location
Spring Hill, KS
ok, so slightly related to my previous thread here: http://www.technibble.com/forums/showthread.php?t=57153, but is a different issue....

Basically, the Tunnel is up, I can hit my New Server 2012 box on the far end of the tunnel via IP address. This setup works, and would be ok, if I went through and reconfigured their software (read remove/reinstall) on all machines to access it via IP. More trouble than its worth and this client likes to setup new client installs themselves and would never remember/know to use the IP.

So my question is: How do I get DNS working down my tunnel?

I have set my server to be a DNS server, and have configured my clients to hit it. I have configured my Forward Lookup Zone to .(root) since this is a WORKGROUP enviroment. I have verified A record for Server1=192.168.1.99. It worked once. Since this is not an AD environment, and because using .(root) does not allow for the use of forwarders, I have set a public DNS as secondary... Perhaps this is my issue?

Am I barking up the wrong tree? Should I be using WINS instead of DNS since this is a workgroup? Or is my config just straight screwed? Any direction is appreciated!!!
 
jbartlett323 said:
ok, so slightly related to my previous thread here: http://www.technibble.com/forums/showthread.php?t=57153, but is a different issue....

Basically, the Tunnel is up, I can hit my New Server 2012 box on the far end of the tunnel via IP address. This setup works, and would be ok, if I went through and reconfigured their software (read remove/reinstall) on all machines to access it via IP. More trouble than its worth and this client likes to setup new client installs themselves and would never remember/know to use the IP.

So my question is: How do I get DNS working down my tunnel?

I have set my server to be a DNS server, and have configured my clients to hit it. I have configured my Forward Lookup Zone to .(root) since this is a WORKGROUP enviroment. I have verified A record for Server1=192.168.1.99. It worked once. Since this is not an AD environment, and because using .(root) does not allow for the use of forwarders, I have set a public DNS as secondary... Perhaps this is my issue?

Am I barking up the wrong tree? Should I be using WINS instead of DNS since this is a workgroup? Or is my config just straight screwed? Any direction is appreciated!!!
Click to expand...

Look at this.

http://technet.microsoft.com/en-us/library/cc731480.aspx
 
So the new server 2012 box is not a DC?
Or is it a DC...but your remote/satellite offices are not setup to log into AD? Why not?

Anyways...for VPN tunnels, if the DC is at the central office, just have satellite offices us that DCs IP as their primary DNS server.

Also, depending on what routers you doing to do the tunnels, sometimes they allow DNS tables to be used. (basically their own DNS service where you can add hosts).

Another option...poor mans WINS...just edit the host file.

How large is this network? May be time to get AD running so you can get DNS setup properly. If satellite office is large enough, have another server there running DNS locally for that branch, make it a DC that replicates with the central office. Get faster logins for the satellite office.
 
markverhyden said:
Look at this.

http://technet.microsoft.com/en-us/library/cc731480.aspx
Click to expand...

So this is saying basically to have a WINS server that DNS forwards unknowns too? Wouldn't I want to skip the middle man an go straight to a WINS server?

YeOldeStonecat said:
So the new server 2012 box is not a DC?
Or is it a DC...but your remote/satellite offices are not setup to log into AD? Why not?

Anyways...for VPN tunnels, if the DC is at the central office, just have satellite offices us that DCs IP as their primary DNS server.

Also, depending on what routers you doing to do the tunnels, sometimes they allow DNS tables to be used. (basically their own DNS service where you can add hosts).

Another option...poor mans WINS...just edit the host file.

How large is this network? May be time to get AD running so you can get DNS setup properly. If satellite office is large enough, have another server there running DNS locally for that branch, make it a DC that replicates with the central office. Get faster logins for the satellite office.
Click to expand...

Yeah, No AD. Couldn't sell em on that. And believe me I tried. This would be up and running and they would be happy campers, but they insist on workgroup as that's all their sub-$400 lappy's or XP's from 19-dickytwo will run (yes, the XP's are going bye-bye, finally!)

We are talking an chiropractor's office, 4-6 clients on the home side of the tunnel, literally 1 (maybe as many as 3, but not typically) on the far end of the tunnel. And since its the same people on either end, very rarely do you have a total number on both ends connected, its usually one side or the other....

Routers are RV220W's on both sides, didn't see any option for DNS handling, beyond forwarding...

Editing the HOSTS file: I had thought of that, but this needs to be seamless when they go buy their next sub-$400 POS system (not point of sale...) and want to set it up themselves....
 
jbartlett323 said:
Yeah, No AD. Couldn't sell em on that. And believe me I tried. This would be up and running and they would be happy campers, but they insist on workgroup as that's all their sub-$400 lappy's or XP's from 19-dickytwo will run (yes, the XP's are going bye-bye, finally!)

Routers are RV220W's on both sides, didn't see any option for DNS handling, beyond forwarding...

Editing the HOSTS file: I had thought of that, but this needs to be seamless when they go buy their next sub-$400 POS system (not point of sale...) and want to set it up themselves....
Click to expand...

Look at your first couple of sentences, and your last sentence. They're being cheap...I understand that (I see it a lot). But..what they have yet to learn, is that there is a cost...in being cheap.

Can't have seamless..and cheap/free.
AD is the way to go, especially since it's a Chiro office and you want some control over the network to manage it.

So since they won't spend the money to do it right..they want you to spend lots of your time coming up with a cheap/free solution? Are you at least billing them for this? Hopefully it's more expensive than taking the AD approach?
 
YeOldeStonecat said:
Look at your first couple of sentences, and your last sentence. They're being cheap...I understand that (I see it a lot). But..what they have yet to learn, is that there is a cost...in being cheap.

Can't have seamless..and cheap/free.
AD is the way to go, especially since it's a Chiro office and you want some control over the network to manage it.

So since they won't spend the money to do it right..they want you to spend lots of your time coming up with a cheap/free solution? Are you at least billing them for this? Hopefully it's more expensive than taking the AD approach?
Click to expand...

Lol, yep. They are kinda Cheap. The bad thing is they know it, and I know it, and they are still one of our best customers... We don't fire you just because your cheap around these parts as you wont find any customers that aren't. Guess that's a curse of a small town in this part of Kansas....

Yes, we pushed hard for AD. We pushed for security. We pushed for HIPAA compliance. We pushed passwords for gods sake! We got the ability to setup a new sever, advise on other hardware, and setup a VPN so they can ditch GoToMyPC. I'd rather do it right, but workable is good enough for them...

As for billing, well yes. We have a contract. I have yet to exceed my hourly allotment. And this is about the same cost as setting up AD from a labor perspective, and a crap-ton cheaper than buying all new workstation all at once... Not my ideal setup, but I do what I gotta to get paid!

And really, I could just ditch this avenue and go about reconfiguring their workstations, but that just seems an easy patch to something that can be made to work correctly with the right know-how, so its really kinda my decision to be making this work...
 
Maddening! I get it to ping server1, yea its working!! disconnect-reconnect VPN (PPTP in this case) and it stops working. ugh...

Currently have my forward zone as .(root) as its the only thing that has worked so far. Setup my WINS server, added a static entry, and pointed my Zone to use it, although it doesn't seem to be functioning as I want it. Using the downloaded nblookup tool however, it does resolve correctly....
 
YeOldeStonecat said:
Was gonna say, what if you just install the DNS role on that server at mothership, and have the satellite rigs use it for their pri DNS.
Click to expand...

thats more or less exactly what I'm trying to do. The whole thing falls apart however, when DNS requires a suffix or domain name. So basically I can get everything to resolve to "Server1.", but not just straight "Server1". In a domain enviroment, the ".whatever" is automatiaclly appeneded to network queries, and therefore has no issue. In a workgroup environment with Single-name devices, this doesn't work at all becuse suffix doesn't exist. Hence the use of .(root), so hopefully DNS will see there was nothing after the . and therefore ignore it. but no go.

Also, when using the .(root) zone, you cant have DNS forwarders, as it thinks itself a top-level DNS server, and the innernets dont like rogue DNS roots replicating, so using this as the only DNS server wont work with current config. If someone can tell me a better one, I would be happy to use this as the primary/only DNS for their environment.

So that's why I set DNS to forward to WINS lookup, thinkin that WINS could care less about suffix's, and therefore should resolve. But since I'm using the RV220's to serve my DHCP, (thought about moving that to server too, but I have multiple vlans and its just as easy for router to handle), I can't serve WINS server info directly to workstations. But I'm not sure its resolving correctly that way. In my mind, if this is set and I do an nslookup, if its resolving correctly though the WINS server, I should get the proper response. I get "can't find server: non-existent domain" instead....
 
Ok, to begin with you might want to think about doing this the "official" way so to speak. This observation is from a much higher altitude. We can all be sure that the whole network security focus is just going to continue to grow and at a very fast rate. From a statutory point of view they are assigning responsibility to more and more parties involved in the process. So trying to cobble together old stuff is problematic for everyone involved.

Basically using WINS all by itself is just using NetBIOS. And according to many this has a number of security issues. You could force NetBIOS over TCP/IP and open up the network by making sure the subnet mask allows both subnets. Then the NetBIOS names should able to be mapped.

But you should still make a plan to get a Domain setup and get those machines joined. It's not like the technology just came out.
 
markverhyden said:
Ok, to begin with you might want to think about doing this the "official" way so to speak. This observation is from a much higher altitude. We can all be sure that the whole network security focus is just going to continue to grow and at a very fast rate. From a statutory point of view they are assigning responsibility to more and more parties involved in the process. So trying to cobble together old stuff is problematic for everyone involved.

Basically using WINS all by itself is just using NetBIOS. And according to many this has a number of security issues. You could force NetBIOS over TCP/IP and open up the network by making sure the subnet mask allows both subnets. Then the NetBIOS names should able to be mapped.

But you should still make a plan to get a Domain setup and get those machines joined. It's not like the technology just came out.
Click to expand...

ARGH!!! Thanks for the input, but as I said before, I tried FOR 2 YEARS to get them to go AD. I counted it a victory when they just let me upgrade there 8+ yr old Dell XPS "server" XP box yesterday to something that actually qualifies as a Server! Not to mention the convincing I had to do to make them understand why using it as a workstation as well as a server is a very bad idea... AD is unfortunately not an option. I wish it was, but it ain't. God how I wish it was. Would make life for me and them sooooo much easier, but they will have none of it. The server is capable of Domains, and I'm hoping one day to convince them, but that day ain't today...

As for NetBIOS, yes I understand WINS is just NetBIOS. Since NetBIOS is capable of resolving single-name entries, its highly interesting to me atm.
So I just checked about the matching subnet thing, and sure enough my subnets are different, but that's no fault of mine from what I can tell, and I'm not sure its hurting it in this case. My internal IP scheme is 192.168.1.0/24, while my VPN is 192.168.10.0/32. So basically my VPN subnet should be able to see and communicate with everything 192.168.x.x correct? The VPN IP scheme is controlled via the VPN Router, and only has the option for changing IP, not subnet, so I am forced to use whatever it wants to use.... This for the PPTP VPN. The Tunnel is 192.168.2.0/24 on the far end, and no NetBIOS.
 
You must log in or register to reply here.

Similar threads

thecomputerguy
Clients emails either not being delivered or going to spam.
Replies
6
Views
1K
callthatgirl
callthatgirl
HCHTech
Website access issues
Replies
11
Views
1K
phaZed
phaZed
HCHTech
Windows 11 folder sharing problem
Replies
19
Views
2K
HCHTech
HCHTech
thecomputerguy
Adding DKIM Records to O365
Replies
4
Views
592
Sky-Knight
Sky-Knight
HCHTech
Alerts!
Replies
10
Views
1K
Sky-Knight
Sky-Knight
Back
Top