3

We have three Windows Domain Controllers (2012 R2 and 2008 R2 mix), all DNS servers. Split-zone DNS scenario.

DNS resolution is working for all internal subnets except over User VPN. All network connectivity appears to be uninhibited.

Users connected to Cisco AnyConnect IOS SSL VPN are unable to resolve internet-facing DNS queries. Queries to AD Integrated Zones return correct answers.

NSLOOKUP output from working host within network boundary:

> set type=a
> 4.2.2.6
Server:  dc1.domain.com
Address:  192.168.0.1

------------
SendRequest(), len 38
    HEADER:
        opcode = QUERY, id = 7, rcode = NOERROR
        header flags:  query, want recursion
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        6.2.2.4.in-addr.arpa, type = PTR, class = IN

------------
------------
Got answer (98 bytes):
    HEADER:
        opcode = QUERY, id = 7, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 2,  authority records = 0,  additional = 0

    QUESTIONS:
        6.2.2.4.in-addr.arpa, type = PTR, class = IN
    ANSWERS:
    ->  6.2.2.4.in-addr.arpa
        type = PTR, class = IN, dlen = 24
        name = f.resolvers.level3.net
        ttl = 74506 (20 hours 41 mins 46 secs)
    ->  6.2.2.4.in-addr.arpa
        type = PTR, class = IN, dlen = 12
        name = resolver8.level3.net
        ttl = 74506 (20 hours 41 mins 46 secs)

------------
Name:    f.resolvers.level3.net
Address:  4.2.2.6

NSLOOKUP output from VPN-connected host:

> set type=a
> 4.2.2.6
Server:  [192.168.0.1]
Address:  192.168.0.1

------------
SendRequest(), len 38
    HEADER:
        opcode = QUERY, id = 7, rcode = NOERROR
        header flags:  query, want recursion
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        6.2.2.4.in-addr.arpa, type = PTR, class = IN

------------
------------
Got answer (38 bytes):
    HEADER:
        opcode = QUERY, id = 7, rcode = NXDOMAIN
        header flags:  response, want recursion
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        6.2.2.4.in-addr.arpa, type = PTR, class = IN

------------
*** [192.168.0.1] can't find 4.2.2.6: Non-existent domain

Notes:

  • Windows Firewall on the DCs are disabled
  • All other protocols between VPN and server VLAN are functional
  • From SSL VPN, NSLOOKUP resolves any records within AD Integrated Zones without issue
  • All internal network segments have a Reverse Lookup Zone
  • Cisco AnyConnect Adapter has DNS Suffix the same as domain.com

Any assistance with this will be very much appreciated.

ikeleher
  • 31
  • 1
  • 2
  • 1
    `NXDOMAIN` means a DNS server was reached for an authoritative response, and the record was not present. This is not an error; you need to figure out why your answer is coming from a different authoritative DNS server. `set debug` will let you see the authority section of the DNS replies, which may give you hints about which DNS servers the answers are coming from. (based on the returned SOA record) – Andrew B Jun 04 '15 at 21:04

0 Answers0