我们有三个 Windows 域控制器(2012 R2 和 2008 R2 混合),所有 DNS 服务器。分区 DNS 方案。
DNS 解析适用于除用户 VPN 之外的所有内部子网。所有网络连接似乎都畅通无阻。
连接到 Cisco AnyConnect IOS SSL VPN 的用户无法解析面向互联网的 DNS 查询。对 AD 集成区域的查询返回正确答案。
来自网络边界内的工作主机的 NSLOOKUP 输出:
> set type=a
> 4.2.2.6
Server: dc1.domain.com
Address: 192.168.0.1
------------
SendRequest(), len 38
HEADER:
opcode = QUERY, id = 7, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
6.2.2.4.in-addr.arpa, type = PTR, class = IN
------------
------------
Got answer (98 bytes):
HEADER:
opcode = QUERY, id = 7, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 2, authority records = 0, additional = 0
QUESTIONS:
6.2.2.4.in-addr.arpa, type = PTR, class = IN
ANSWERS:
-> 6.2.2.4.in-addr.arpa
type = PTR, class = IN, dlen = 24
name = f.resolvers.level3.net
ttl = 74506 (20 hours 41 mins 46 secs)
-> 6.2.2.4.in-addr.arpa
type = PTR, class = IN, dlen = 12
name = resolver8.level3.net
ttl = 74506 (20 hours 41 mins 46 secs)
------------
Name: f.resolvers.level3.net
Address: 4.2.2.6
来自 VPN 连接主机的 NSLOOKUP 输出:
> set type=a
> 4.2.2.6
Server: [192.168.0.1]
Address: 192.168.0.1
------------
SendRequest(), len 38
HEADER:
opcode = QUERY, id = 7, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
6.2.2.4.in-addr.arpa, type = PTR, class = IN
------------
------------
Got answer (38 bytes):
HEADER:
opcode = QUERY, id = 7, rcode = NXDOMAIN
header flags: response, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
6.2.2.4.in-addr.arpa, type = PTR, class = IN
------------
*** [192.168.0.1] can't find 4.2.2.6: Non-existent domain
笔记:
- DC 上的 Windows 防火墙已禁用
- VPN 和服务器 VLAN 之间的所有其他协议均可正常运行
- 从 SSL VPN 中,NSLOOKUP 可以毫无问题地解析 AD 集成区域内的任何记录
- 所有内部网段都有一个反向查找区域
- Cisco AnyConnect 适配器的 DNS 后缀与 domain.com 相同
任何对此提供的帮助都将不胜感激。