No DNS option in the vpdngroup config

cory-gray · ‎08-19-2004

Dear pros,

I have a quick question. If a remote user VPN's in from a remote network and the vpdngroup that he authenticates to does not have the dns-server option configured, will the VPN user use his locally learned DNS address for name resolution? The reason why I am asking is because currently VPN users are configured on the pix to grab the DNS addresses of the remote network they are accessing. Users are saying when they are VPN'd in the internet connection is slow. The DNS server address they are downloading when they login are in the range of the encrypted network addresses meaning they are making encrypted Name requests to the remote network over the tunnel. I am thinking of taking out the DNS server configuration all together. My thing is I don't want to do this and then the VPN users have no internet at all when they are logged in. What should I do? What I need to do is have all internet traffic go straight to the internet. And yes I have split-tunneling enabled.

gfullage · ‎08-19-2004

As long as you have split tunnelling enabled, then if you don't send down a DNS entry as part of the VPN negotiation the PC will continue to use the DNS entries it received upon bootup, which is normally the ISP's DNS servers. With split tunneling enabled, you will be able to do DNS queries "in the clear" to the ISP DNS server.

Keep in mind that if the slow response they're reporting is for everything (ie, web pages are slow to download), it may not be a DNS issue. DNS issues normally look like very slow response initially (while the PC is waiting for the DNS reply), but then once a page starts to load it loads quite quickly, and that same page continues to load quickly because the DNS entry is then cached.