locked
directAccess: understand DNS RRS feed

 , 
 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello,

    I am trying to understand better how DirectAccess works, so I am trying experimentations ;)

    I have a DirectAccess client computer (Windows7) connected throught IPHTTS. I connected to my local computer session, so the IPSec tunnel is partially mounted, with only the infrastructure tunnel thanks to my computer certificate. As a consequence, I am able to use DNS resolution for my intranet, even if I am not connected with my domain account.

    My first question is: How the checkbox "Enable Enterprise DNS resolution" on the DirectAccess Connectivity Assistant allow the DNS queries to be encapsulated in the IPSec tunnel? Is it linked to a registry key?

    How could I redirect for exemple the nslookup flow so that the DNS queries go automatically throught the IPSec tunnel?

    I am not sure I be clear enought, please tell me if not.

    Thank you for any clue!

    Wednesday, July 2, 2014 10:12 AM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    DNS resolution has to do with your NRPT table: http://technet.microsoft.com/en-us/magazine/ff394369.aspx

    This is where you tell DA to use or not your internal DNS servers.

    nslookup will always use your NIC configured DNS servers by default unless you tell him to do otherwise (and you will need to query IPv6 addresses):

    nslookup –q=aaaa IntranetFQDN IntranetDNSServerIPv6Address command to resolve the names of intranet servers (example: nslookup –q=aaaa dc1.corp.contoso.com 2002:836b:2:1::5efe:10.0.0.1)

    • Marked as answer by Jean Marnier Wednesday, July 9, 2014 2:18 PM
    Thursday, July 3, 2014 10:44 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Hi There - to find the DNS Server address do the following - whilst not connected to the LAN, open a command prompt and type the following - NETSH NAMESPACE SHOW EFFECTIVEPOLICY - this will reveal the DNS Server IPv6 Address. From there you can use the nslookup command proposed by Thomas.

    john davies

    • Proposed as answer by Icon8000 Wednesday, July 9, 2014 2:17 PM
    • Marked as answer by Jean Marnier Wednesday, July 9, 2014 2:18 PM
    Wednesday, July 9, 2014 2:17 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    DNS resolution has to do with your NRPT table: http://technet.microsoft.com/en-us/magazine/ff394369.aspx

    This is where you tell DA to use or not your internal DNS servers.

    nslookup will always use your NIC configured DNS servers by default unless you tell him to do otherwise (and you will need to query IPv6 addresses):

    nslookup –q=aaaa IntranetFQDN IntranetDNSServerIPv6Address command to resolve the names of intranet servers (example: nslookup –q=aaaa dc1.corp.contoso.com 2002:836b:2:1::5efe:10.0.0.1)

    • Marked as answer by Jean Marnier Wednesday, July 9, 2014 2:18 PM
    Thursday, July 3, 2014 10:44 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Is the IntranetDNSServerIPv6Address the one in the NRPT table?

    I tried this but the query timeout....

    Thursday, July 3, 2014 12:43 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Is the IntranetDNSServerIPv6Address the one in the NRPT table?


    No, you need to use the IPv6 address of your DNS server.

    The IPv6 address you used (the one that appears in the NRPT table) is that of the DA server which acts as a proxy for DNS resolution.



    Thursday, July 3, 2014 12:51 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    hum

    How could I know this address ?

    It seems that my Windows workstation doesn't know it because it is talking only to the DA server (which itself proxy the DNS request ). Can't I act like it and talk to the DA server so that it proxifies my querry?

    Thursday, July 3, 2014 1:50 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    From your DA client, ping your DNS server it should reply with its IPv6 address
    Thursday, July 3, 2014 1:58 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    I mean, how could I know it without knowing its name (I know there is a NDS somewhere, but no idea who it is)? I am not the sysadmin and don't know the network topology. However, my laptop is able to do DNS request, so maybe it knows...

    Thursday, July 3, 2014 4:41 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Hi There - to find the DNS Server address do the following - whilst not connected to the LAN, open a command prompt and type the following - NETSH NAMESPACE SHOW EFFECTIVEPOLICY - this will reveal the DNS Server IPv6 Address. From there you can use the nslookup command proposed by Thomas.

    john davies

    • Proposed as answer by Icon8000 Wednesday, July 9, 2014 2:17 PM
    • Marked as answer by Jean Marnier Wednesday, July 9, 2014 2:18 PM
    Wednesday, July 9, 2014 2:17 PM