cancel
Showing results for 
Search instead for 
Did you mean: 

Network Connect and DNS problems

G3rman_
Occasional Contributor

Network Connect and DNS problems

Some of our users are experiencing problems where their ISP will hijack DNS requests for non-qualified hostnames. An example is typing "intranet" instead of "intranet.polycom.com". The DNS setting is set to query the SSL VPN first but it seems to be ignored and the ISP resolves "intranet" to some external IP.

5 REPLIES 5
firewall72_
Frequent Contributor

Re: Network Connect and DNS problems

Hi,

I would check your Network Connect profile to ensure your have the proper domains listed. Go to Users, Resource Policies, Network Connect, NC Connection Profile, and edit your profile. Check the DNS Domains field. Note that you can add multiple Domains using a comma.

-John

kenlars_
Super Contributor

Re: Network Connect and DNS problems

I've seen the same problem, and I think I have figured out why it is happening (but not a good workaround).

For the problem to occur -

  1. The user must be attempting to resolve a non-qualified name
  2. The IP stack must have more than one DNS suffix specified, and the non-qualified name must not resolve with the first suffix.
  3. Split tunneling must be configured, typically to the local subnet
  4. The PC, once NC is started, must have a path to the native DNS server. Typically, this occurs because the router on the local subnet is acting as a DNS proxy.
  5. The ISP's DNS must resolve DNS names it does not recognize. This occurs because the ISP wants to route a user typing in http://www.googel.com to its own search engine or portal.

What occurs is that the PC attempts to resolve the name with the first suffix to the internal DNS servers, and then attempts to resolve it against the external DNS servers. Since the external DNS server returns a response, resolution completes without ever attempting the second (and subsequent) DNS suffixes.

Potential solutions -

  1. Reorder the DNS suffixes in the IP stack (will not work if all are needed to resolve non-qualified names)
  2. Eliminate split tunneling
  3. Find an way to change the DNS server used by the PC when on the internet

Ken

stine_
Super Contributor

Re: Network Connect and DNS problems

Of course the best solution would be that ISPs be required to deliver NXDomain replies if that is what should be delivered, since as we all know, not everything running on the internet is a web browser with a poor typist at the helm.

Let's all thank the two guys at comcast and their german friend for this ****.

I would start with your customers' ISP, contact them and ask for the IP of a DNS that doesn't hijack NXDOMAIN responses, I seem to remember reading somewhere (maybe on theregister.co.uk) that some major ISP left one DNS 'pure' for just this reason....IIRC

drf_
Contributor

Re: Network Connect and DNS problems

We have seen this problem a lot with OpenDNS. Luckily you can turn off the DNS hijacking in OpenDNS by disabling Typo correction

I just worked with a user where his ISP was using OpenDNS for their DNS servers.

I believe you can opt-out of Comcast's "Domain Helper" service.

http://blog.comcast.com/2009/08/domain-helper-national-rollout-begins.html

stine_
Super Contributor

Re: Network Connect and DNS problems

Here is the comcast link that lists, by city, their 'RFC compliant' (HA!) dns servers that do not hijack NXDOMAIN records:

http://dns.comcast.net/dns-ip-addresses2.php