locked
How to force VPN clients to use the DNS-server from their VPN adapter, not the DNS-server from their ISP ? RRS feed

  • Question

  • Corporate network:
    DC - 2pcs
    Member Servers - 2pcs
    Domain name: domain.local
    Win2003+RAS+DHCP+DNS
    Win2008+DNS
    Exchange, Axapta, File Server, etc

    A local ISP, set a new DNS-server recently. (This ISP is the biggest GSM operator in the country)
    As I see, one of the new feature in this new DNS-server is that if it is not able to resolve a name, it returns as a result the IP-address of the advertising site of the ISP.

    This new feature generates troubles for VPN-clients when they use this ISP - they are not able to resolve correct the internal names like:
    exchange.domain.local, fileserver.domain.local, and other

    What we have to do to solve this ?
    When VPN-clients establish VPN-connection, how to force them to use the DNS-server specified in their VPN-adapter ?

    Additional info for the client computers (laptops with XP, Vista):
    1. Currently, on the client computers and their VPN-connections, "Use the default gateway on the remote network" is unchecked (the reason is to optimize the trafic).
    2. "Adapters and bindings" - all the settings are by default

    Wednesday, December 30, 2009 4:34 PM

Answers

  • Hello,

     

    Thank you for your post here.

     

    I believe the issue result from the binding order of the NICs. The NdisWanIp may have the lower priority than the LAN NIC that will make the system send the DNS name resolution to the DNS server addresses that is defined in the LAN NIC first. To isolate the issue from the NIC binding, I'd like to suggest you to check how it works if you change the binding order:

     

    1.    On the problematic client, click Start, click Run, type regedit32 in the Open box, and then click OK.

    2.    Click the following registry subkey:

     

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Linkage

     

    3.    In the right pane, double-click Bind.

    4.    In the Value data box, select the "\Device\NdisWanIp" item, press CTRL+X, click the top of the list of devices, and then press CTRL+V.

    5.    Click OK, and then quit Registry Editor.

    6.    Restart the client and check how it works then.

     

    Cannot Change the Binding Order for Remote Access Connections

    http://support.microsoft.com/kb/311218

     

    If you have any questions or concerns, please do not hesitate to let us know.

     

     

    • Marked as answer by Miles Li Wednesday, January 13, 2010 8:24 AM
    Thursday, December 31, 2009 3:33 AM

All replies

  • Hello,

     

    Thank you for your post here.

     

    I believe the issue result from the binding order of the NICs. The NdisWanIp may have the lower priority than the LAN NIC that will make the system send the DNS name resolution to the DNS server addresses that is defined in the LAN NIC first. To isolate the issue from the NIC binding, I'd like to suggest you to check how it works if you change the binding order:

     

    1.    On the problematic client, click Start, click Run, type regedit32 in the Open box, and then click OK.

    2.    Click the following registry subkey:

     

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Linkage

     

    3.    In the right pane, double-click Bind.

    4.    In the Value data box, select the "\Device\NdisWanIp" item, press CTRL+X, click the top of the list of devices, and then press CTRL+V.

    5.    Click OK, and then quit Registry Editor.

    6.    Restart the client and check how it works then.

     

    Cannot Change the Binding Order for Remote Access Connections

    http://support.microsoft.com/kb/311218

     

    If you have any questions or concerns, please do not hesitate to let us know.

     

     

    • Marked as answer by Miles Li Wednesday, January 13, 2010 8:24 AM
    Thursday, December 31, 2009 3:33 AM
  • This really worked ..good finding

    now i am thinking how can i get this easy for the other users so that they can do it without much efforts

    may be a script or any other method can help 

    Friday, March 25, 2011 3:01 PM
  • You could use a batch file (like GPO Startup) that first checks if \Device\NdisWanIp is at the beginnging of the registry key value, if not, reads the current values, adds \Device\NdisWanIp\0 at the beginning (the backslash and zero indicate the end of a line since this is a multi-string registry key value), and writes the new long string back. You could use reg.exe like this:

    %systemroot%\system32\reg.exe ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Linkage /f /v Bind /t REG_MULTI_SZ /d \Device\NdisWanIp\0...

    /f = force (overwrite)
    /v = value name (Bind)
    /t = multi-string
    /d = data, every string ends with backslash-zero (\0)

    Or use Powershell's very elegant methods for registry access and string manipulation, but this I leave to more experiences shellers. If you want to use Powershell you enter the topics of ExecutionPolicy, and eventually signing your script requiring a code signing certificate (if you have an internal CA, this does not cost any extra money).

    /Maurice

    Friday, March 25, 2011 3:44 PM