Windows RRAS Not Supplying DNS Suffix/Search Domain to Mac/Linux Clients

0

Issue

I have deployed RRAS (PPTP - EAP and IKEv2 - PEAP) on my domain and everything is running fine except for the fact that the DNS Suffix is not being supplied to Mac or Linux clients. This means that they have to use the FQDN for everything on the network (e.g. ping server1.ad.domain.com works, ping server1 doesn't).

All Windows clients (whether joined to the domain or not) receive the suffix fine and can therefore contact other machines using their single label (i.e. without using the FQDN).

All clients (regardless of OS) communicate fine when running locally in the office.

Note: Everything is configured to be on the same subnet.

Potential Cause

After investigating this issue over the last few weeks, I believe this may be down to the Mac/Linux clients not receiving the DHCP Options (in particular Option 15 that I've set up as a Server Option on the DHCP and set its value as my internal domain).

I was under the impression that the VPN clients get the DNS Server details from the RRAS server itself (which they are doing) and anything else I wanted to set would have to be configured on the DHCP server (e.g. the suffix via Option 15).

To supply these options from the DHCP server to the VPN clients, I believe I need to have the RRAS server setup as a DHCP Relay Agent which I've configured with the following:

  • Server Address (Routing and Remote Access > DHCP Relay Agent > Properties): 192.168.1.2 (the IP address of my DHCP server)
  • Interfaces: Internal (was automatically added) and Ethernet (my LAN NIC) - I'm really not sure if this is correct - do I need both?

With this set up, the Mac and Linux clients still don't receive the DNS suffix (I'm guessing they're still not receiving DHCP Option 15).

RRAS Server Configuration

The configuration details of the RRAS server that I think could be of interest are as follows:

  • OS: Windows Server 2016 (Hyper-V Client)
  • Domain: Joined to the domain
  • NIC: Single NIC (behind NAT)
    • Static IP: 192.168.1.7
    • DNS Servers (manually set): 192.168.1.2, 192.168.1.1
    • Suffix: Gets its primary suffix from a Group Policy
  • IPv4 Address Assignment: Static Pool (53 addresses, excluded from assignment on the DHCP server)
  • Broadcast Name Resolution - [ticked]

Mac (High Sierra) - scutil --DNS Output

When a Mac client is connected to the VPN and I run the scutil --dns command, I get the following output.

DNS configuration

resolver #1
  nameserver[0] : 192.168.1.2
  nameserver[1] : 192.168.1.1
  if_index : 9 (ipsec0)
  flags    : Request A records
  reach    : 0x00000002 (Reachable)

resolver #2
  domain   : local
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300000

resolver #3
  domain   : 254.169.in-addr.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300200

resolver #4
  domain   : 8.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300400

resolver #5
  domain   : 9.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300600

resolver #6
  domain   : a.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300800

resolver #7
  domain   : b.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 301000

DNS configuration (for scoped queries)

resolver #1
  search domain[0] : Home
  nameserver[0] : 192.168.9.1
  if_index : 5 (en0)
  flags    : Scoped, Request A records
  reach    : 0x00020002 (Reachable,Directly Reachable     Address)

resolver #2
  nameserver[0] : 192.168.1.2
  nameserver[1] : 192.168.1.1
  if_index : 9 (ipsec0)
  flags    : Scoped, Request A records
  reach    : 0x00000002 (Reachable)

As you can see in the DNS Configuration (for scoped queries) section, there isn't a search domain listed for the VPN connection (resolver #2) (i.e. it does not have the suffix set on the connection).

If I manually set the suffix as a Search Domain on the VPN connection on the Mac, everything works fine.

Linux (Ubuntu 18.04) - systemd-resolve --status Output

When an Ubuntu client is connected to the VPN and I run the systemd-resolve --status command, I get the following output.

Global
          DNS Domain: Home
          DNSSEC NTA: 10.in-addr.arpa
                      16.172.in-addr.arpa
                      168.192.in-addr.arpa
                      17.172.in-addr.arpa
                      18.172.in-addr.arpa
                      19.172.in-addr.arpa
                      20.172.in-addr.arpa
                      21.172.in-addr.arpa
                      22.172.in-addr.arpa
                      23.172.in-addr.arpa
                      24.172.in-addr.arpa
                      25.172.in-addr.arpa
                      26.172.in-addr.arpa
                      27.172.in-addr.arpa
                      28.172.in-addr.arpa
                      29.172.in-addr.arpa
                      30.172.in-addr.arpa
                      31.172.in-addr.arpa
                      corp
                      d.f.ip6.arpa
                      home
                      internal
                      intranet
                      lan
                      local
                      private
                      test

Link 3 (ppp0)
      Current Scopes: DNS
       LLMNR setting: yes
MulticastDNS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
         DNS Servers: 192.168.1.2
                      192.168.1.1

Link 2 (wlp2s0)
      Current Scopes: DNS
       LLMNR setting: yes
MulticastDNS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
         DNS Servers: 192.168.9.1
          DNS Domain: Home

As you can see, the Link for the VPN connection does not list a DNS Domain (i.e. it does not have the suffix set on the connection).

Other things I've Tried

I've tried various things to try and get this working correctly, these are the ones I can remember:

  • Added DHCP Option 119 to the DHCP Server Options and then tried it as a Scope Option instead (configured using this guide and then a different method using this) - no difference

    Note: I think option 119 is only needed if you want additional suffixes outside of what is set in option 15 anyway

  • Added an additional virtual NIC to the RRAS server and configured it for DHCP (instead of a static IP) then used this as the "broadcast name resolution" NIC - no difference
  • Changed the RRAS server's IPv4 Address Assignment to DHCP instead of a static pool - no difference
  • Manually set the connection suffix on the NIC of the RRAS server - no difference

I've since undone all of the above.

I'm sure this is purely me missing something with the configuration so hopefully somebody can point out where I'm going wrong.

If you need anymore outputs, information, etc. then I can provide them (I have full access to the servers).

Cheers,
Jess

vpn
dns
dhcp
remote-access
windows-networking
asked on Super User May 14, 2018 by Jess Rascal

0 Answers

Nobody has answered this question yet.

User contributions licensed under CC BY-SA 3.0