How to have Windows XP guest use Mac OS DNS when V...

Piggy · ‎01-01-2008

I would like to be able to leverage my OS X VPN from my Windows XP guest.

It works via IP address but not host name. Windows does not know how to resolve my employer's host name but Mac OS X does. Actually this is not completely accurate: Windows resolves the host name via public DNS and returns the public IP address. OS X uses the internal DNS when the VPN is running.

I have to add an entry to the Windows hosts file for this to work and would prefer to have Windows query OS X for this information. An IPCONFIG /ALL shows the default gateway and DNS server as the same virtual address (x.x.x.2). I tried changing it to x.x.x.1, which I see with ifconfig -a on the Mac side, but it's not reachable from the Windows side.

I prefer not to have to manually configure hosts entry for the private servers and just have Windows query Mac OS which handles this automatically when the VPN is up.

Does anyone know how I can do this?

Thanks.

P.S. I can establish a VPN on the Windows side with the Cisco VPN client but prefer to do it on the Mac OS side where I use VPN tracker.

rcardona2k · ‎01-02-2008

I didn't follow one part, while connected to your VPN, OS X should be set to use your company's DNS servers. VPN DNS servers are usually added and removed dynamically as you connect. In addition to using your local DNS forwarder/resolver you could add your company's DNS servers to your guest os configuration. In Windows this is in Control Panel > Network connections > Local Area Connection > Properties > Internet Protocol (TCP/IP) > Properties > Advanced... > DNS > Add...

I use a mix of OpenDNS (because of untrustworthy hotspots) and my company's VPN DNS. I also have my company's VPN in the hosts files so I don't have to rely on any external DNS to resolve that (worst case).

Piggy · ‎01-02-2008

Hi,

The Windows Cisco VPN works fine by itself.

The OS X VPN (VPN Tracker) works fine by itself.

It's only when I try to exclusively use the OS X VPN that the Windows guest (no VPN running inside Windows) cannot resolve DNS properly. It uses the public DNS which returns the wrong (external) IP address which is not reachable.

Specifying the internal DNS servers in Windows causes problems because there's really no primary/secondary lookup on a DNS client - it treats all of the DNS servers equally and randomly picks one to query. I just tried this anyway and sure enough it hung trying to query the internal DNS server because the VPN wasn't up.

I use OpenDNS sometimes, too. This is a bit of a problem while I'm connected to a customer's network since I need to resolve locally.

I don't think there's a solution other than to edit the hosts file. /etc/resolv.conf doesn't get updated on the Mac OS side when the VPN is up so querying Mac OS returns the public address. However pinging the hostname does, so somehow the VPN software is intercepting the query and returning the correct (internal) address based on the DNS server it learns when establishing the VPN.

Let me know if you still feel this should work without the hosts file and I'm not testing it as you described.

Thanks!

dp_fusion · ‎01-02-2008

The OS X vpn client has no mechanism to transfer any connection information to the guest OS. In my environment I use NAT and Cisco VPN in OS X. This gives me networking to the company net for all applications including Fusion. I must manually add the company's name servers to my Windows TCP/IP stack so that Windows applications can locate the corporate servers. It typically needs doing just once provided the corporate name server information is static and that should certainly be the case.

Piggy · ‎01-02-2008

Don't you have a problem with name resolution when the VPN isn't up and Wndows tries to contact your internal name server, which it cannot get to because the VPN is down?

Without the hosts file change, Windows DNS always returns the external IP address. Even if I have the VPN up in Mac OS and can ping via IP from Windows, attempts to do the same via host name always returns the external IP address (which is not what I want). I've tried specifying OpenDNS servers as primary and secondary, and the internal DNS server as teritiary. I've run ipconfig /flushdns to ensure a clean state.

Exaclty how are you configuring your DNS servers? I am doing it via the Advanced tab on the TCP/IP properties dialog, "DNS server addresses, in order of use". 208.67.222.222, 208.67.220.220, 10.x.x.x.

I think one issue I may be having is that my IT department has DNS wildcarded to an external address. It certainly doesn't help matters.

dp_fusion · ‎01-02-2008

I have multiple name servers defined and the company server is last in the list so never consulted, and I run my own servers so know they're well behaved. DNS wildcards are evil You need the corporate name servers only for networks inside the corporation and so they can be last in the sequence.

It probably isn't obvious, but you would likely be well off to avoid search paths and instead use fully qualified host names when contacting the company servers. If you know for a fact that you need contact only a very few hosts inside the company network you can add those few to your Windows host file and avoid all this DNS stuff entirely. The host file in Windows is cleverly buried in \Windows\System32\drivers\etc\hosts and is a simple text file you can edit with notepad. Just don't allow nutpod to apply a .txt extension to the file or it will all quit.

The format of the host file is:

IP hostname.domain.tld hostname

This will allow finding the host by fqdn or by simple hostname.

Piggy · ‎01-02-2008

Well, I don't really see a way to get this to work. Our internal sites (like Sharepoint) use just host names and our external DNS is wildcarded so any host I try to access is going to get an IP address and usually the wrong (invalid) one. So even if Windows resolves the way I want it's never going to fail on the public DNS servers and roll over to the internal one.

Host entries are the only way to go. I have this working for most things except for the sharepoint calendar I use in Outlook.

Thanks for your help.

johncaruso · ‎08-29-2008

I've just run into this problem as well. Namely: when using a NAT networking connection with a Windows XP guest running under Fusion, if you establish a VPN connection on the Mac side, you will only be able to connect to VPN-based hosts within the Windows XP guest using the IP address--not the hostname. This despite the fact that on the OS X side you can connect to VPN-based hosts using either the hostname or the IP address.

The problem appears to be that the calls the VMware NAT daemon makes to the resolver library bypass the trickery the Mac side normally uses to resolve DNS queries first from the public connection and then from the VPN connection. This is a problem that I think VMware should address, since it seems like a bug that the same DNS queries that work just fine under OS X don't work for a NAT'ed client running under Fusion.

Until they fix it, though, there are two workarounds I've found:

1) Explicitly configure the VPN DNS server's IP address on the main connection (NOT the VPN connection) on the Mac side. For example, if your Airport connection is your main connection and your VPN DNS server is 10.1.2.3, you'd add 10.1.2.3 to the Airport connection's DNS configuration.

2) Use bridged networking and establish an independent DNS connection from within the Windows XP guest.

The big downside to number 1 is that the DNS IP you configure may not always be an IP from which you want to get DNS--e.g. if you were using the public wireless at a cafe and someone noticed your machine sending DNS requests to 10.1.2.3, they could adopt that IP and effectively hijack your DNS. As long as you're aware of that caveat and modify your configuration accordingly when you're on unsafe networks, though, it's a reasonable workaround.

All

How to have Windows XP guest use Mac OS DNS when VPN established with OS X