注意:错误的假设
事实证明,VPN 配置为将所有名称查找重定向到不同的服务器。因此问题不是 Windows DNS,而是 VPN 网关。
原始问题
我有一个远程网络 10.12.0.0/16,其中有一个 Windows 域控制器 (SBS 2011) 和一个 VPN 网关。一些 Windows PC(不是域成员)使用 l2tp VPN 连接到 SBS。它在 10.14.0.0/24 中获取虚拟 IP。VPN 网关是 SBS 的默认网关,在两个网络之间路由。SBS 和客户端可以互相 ping 通。
域控制器拥有 Active Directory 域company.local。如果我在 SBS 上查找它,它会正确解析为 SBS 的 IP。来自 VPN 网关的查询也可以正常工作。但是nslookup company.local 10.12.0.5来自客户端的(稍后是 SBS IP)将响应未找到该域。通过 VPN 网关上的 tcpdump,我可以看到 SBS 确实返回了NXDOMAIN 0/0/0。
您可能已经猜到了,目标是使用连接 VPN 的计算机加入域。
为什么 DNS 服务器没有返回正确的 A 记录?我唯一的想法是该查询来自未知的专用网络。
更新 01
来自客户端计算机的完整查询:
C:\Users\abc>nslookup -debug company.local 10.12.0.5
------------
Got answer:
HEADER:
opcode = QUERY, id = 1, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0
QUESTIONS:
5.0.12.10.in-addr.arpa, type = PTR, class = IN
ANSWERS:
-> 5.0.12.10.in-addr.arpa
name = xyz.cloud.internal
ttl = 0 (0 secs)
------------
Server: xyz.cloud.internal
Address: 10.12.0.5
------------
Got answer:
HEADER:
opcode = QUERY, id = 2, rcode = NXDOMAIN
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
company.local, type = A, class = IN
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 3, rcode = NXDOMAIN
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
company.local, type = AAAA, class = IN
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 4, rcode = NXDOMAIN
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
company.local, type = A, class = IN
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 5, rcode = NXDOMAIN
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
company.local, type = AAAA, class = IN
------------
*** xyz.cloud.internal can't find company.local: Non-existent domain
更新 02
C:\Users\abc>nslookup -debug _ldap._tcp.dc._msdcs.company.local.
------------
Got answer:
HEADER:
opcode = QUERY, id = 1, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0
QUESTIONS:
5.0.12.10.in-addr.arpa, type = PTR, class = IN
ANSWERS:
-> 5.0.12.10.in-addr.arpa
name = xyz.cloud.internal
ttl = 0 (0 secs)
------------
Server: xyz.cloud.internal
Address: 10.12.0.5
------------
Got answer:
HEADER:
opcode = QUERY, id = 2, rcode = NXDOMAIN
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
_ldap._tcp.dc._msdcs.company.local, type = A, class = IN
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 3, rcode = NXDOMAIN
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
_ldap._tcp.dc._msdcs.company.local, type = AAAA, class = IN
AUTHORITY RECORDS:
-> (root)
ttl = 10789 (2 hours 59 mins 49 secs)
primary name server = a.root-servers.net
responsible mail addr = nstld.verisign-grs.com
serial = 2013011600
refresh = 1800 (30 mins)
retry = 900 (15 mins)
expire = 604800 (7 days)
default TTL = 86400 (1 day)
------------
*** xyz.cloud.internal can't find _ldap._tcp.dc._msdcs.company.local.: Non-existent domain
答案1
问题(正如评论中提到的)最终是 VPN 网关拦截了 DNS 查询。