locked
DNS REsolution for clients RRS feed

  • Question

  • Can someone please help me understand when DA clients request access for internal resources how does it works ?

    I ran wireshark and don't see any dns request or response , do I need to enable any ipv6 config ion wireshark ?

    Monday, February 11, 2013 3:43 PM

All replies

  • I mean if I want to run wireshark from DA client to see exact location of connection drop , how can we debug that if it is DA server , DNS or Internal server ?

    Thanks for help

    Monday, February 11, 2013 4:46 PM
  • Hi

    With Windows Server 2012 and UAG, DNS names resolution for internal names is managed by the DNS64 component. It's a component acting as a proxy for DirectAccess Clients. When DirectAccess clients are connected on Internet, the Name Resolution Policy Table is enabled (NETSH.EXE NAMESPACE SHOW EF should return the content of the NRPT). When a DirectAccess clients ask for internal name resolution, it's not local DNS configuration (Internet provider) that handle the request but the NRPT. For Each entry in the NRPT you hace a IPv6 address. This is the address used by DNS64 component (unless your DirectAccess infrastructre rely only on Windows Server 2008 R2).

    Technically speaking, you can use this address as a DNS server in a NSLOOKUP Query to check if internal name resolution is operational or not. Whtch out, PING is not your best friend for troubleshooting because it does not handle NRPT. Tracing DNS request with Wireshark or Network Monitor is not a good idea because this traffic goes throught the IPSEC tunnel.

    Do you need additional information.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Monday, February 11, 2013 8:33 PM
  • Thanks Benoit I got that , but in order to troubleshoot client connectivity issue what is best solution to track each packet
    Tuesday, February 12, 2013 4:58 AM
  • Not possible to see what goes thought IPSEC tunnel. You can intercept network trafic from your internal network card of your Windows Server 2012/ UAG box.

    From the client-side point of view, the most important thing is IPSEC tunnel establishment.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Tuesday, February 12, 2013 6:20 AM
  • Right benoit with that being said.

    I wish to know if we want to check if particular traffic is coming and going out oF DA server how can we check that ?

    Do we need to Run wireshark from DA Server ?

    Tuesday, February 12, 2013 6:37 AM
  • Yes but watch out. If your clients are accessing internal IPv6 ressources, this will be easy to track witch client access witch ressource. If not, IPv6 addresses used by clients will be generated by NAT64. In this case you wont see IPv6 trafic on your LAN but IPv4.

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Tuesday, February 12, 2013 7:02 AM