Using Name Resolution When Accessing Other Services on a VPN Router
Applies To: Windows Server 2008, Windows Server 2008 R2
In some organizations, you might want users to be able to access other services, such as file shares, on the answering VPN router. For this type of configuration, if you specify the answering router’s DNS name rather than the IP address in the demand-dial interface, and the name resolves to the public IP address of the answering router, traffic sent to the services running on the router is sent in plaintext (unencrypted) across the Internet. It is not encapsulated, encrypted, and sent using the VPN connection, which can compromise security.
A related problem is that if you configure packet filters on the answering router to allow only traffic over a VPN connection, all other traffic is discarded. Attempts to connect to services running on the answering router fail in this situation, because traffic attempting to connect to those services is not sent over the site-to-site VPN connection.
If the site DNS and WINS servers do not contain a record mapping the name of the VPN router to its public IP address, traffic to services running on the VPN router is always sent across the VPN connection. To ensure that the name of the VPN router is always resolved to the private or site IP address of the VPN router, disable DNS dynamic update and NetBIOS over TCP/IP (NetBT) on the Internet-connected interface (or interfaces) of the VPN router as follows:
Prevent DNS name resolution. On the Internet interface of the router, configure the properties of Internet Protocol Version 4 (TCP/IPv4) by clicking the Advanced button, selecting the DNS tab, and then clearing the Register this connection’s addresses in DNS check box.
Prevent WINS name resolution. On the Internet interface of the router, configure the properties of Internet Protocol Version 4 (TCP/IPv4) by clicking the Advanced button, selecting the WINS tab, and then selecting the option Disable NetBIOS over TCP/IP.
By default, the Routing and Remote Access Wizard clears Register this connection’s addresses in DNS and selects Disable NetBIOS over TCP/IP. Be sure not to change these defaults if you want users to be able to access services such as file shares on the answering VPN router.