This topic describes how remote DirectAccess clients determine how DNS suffix queries are resolved by intranet DNS servers, and how to select a local name resolution method.
The Name Resolution Policy Table (NRPT) stores a list of DNS namespaces and corresponding configuration settings that define the DNS client’s behavior for that namespace. When a DirectAccess client is remote, each name query request is compared against namespaces stored in the NRPT. If there is a match, the request is processed according to the settings in the NRPT entry for that namespace.
If a name query request does not match a namespace in the NRPT, it is sent to DNS servers configured in the TCP/IP settings for the specified network interface, for example, to an Internet DNS server configured through your Internet service provider (ISP).
Warning: |
---|
When force tunneling is configured, all DNS queries will be resolved using the method configured in the Force tunneling page of the Forefront UAG DirectAccess Configuration Wizard. |
Certain names must not be resolved using the intranet DNS servers. To ensure that these names are resolved with the DNS servers configured in the TCP/IP settings, you must add them as NRPT exemptions. If no DNS server addresses are specified in the NRPT entry, the entry is an exemption. If a DNS name matches an entry in the NRPT that does not contain addresses of DNS servers, the DirectAccess client sends the name query to the DNS servers specified in the client’s TCP/IP settings.
Note: |
---|
If any of the following servers have a name suffix that matches
an NRPT entry for the intranet namespace, that server name must be
an NRPT exemption:
|
To identify DNS servers
-
In the Infrastructure Servers section of the wizard, on the DNS Suffixes page, follow these instructions to add, edit, or delete entries in the NRPT.
- To add an entry in the NRPT:
- Right-click an empty row, and then click New.
Alternately, you can double-click an empty row.
- In the Name Resolution servers used by DirectAccess
dialog box, select DNS suffix, or Specific Server,
and then enter a DNS suffix, or a specific server.
- If you want to use the Forefront UAG DNS64
server IP address when resolving names ending with the DNS suffix,
click OK.
Note: This is the default option, and is used in most cases. - If you want to create an exemption entry,
click Do not use an internal DNS server for the specified server
or suffix, and click OK.
- If you want to use another DNS server IP
address when resolving names ending with the DNS suffix, click
Other DNS server IPv4 or IPv6 address, click Click here
to add, and enter the IP address of the internal DNS server.
Click Validate, to confirm that the DNS servers are running
and reachable from the Forefront UAG DirectAccess server, and if
the validation is successful, then click OK.
Note: You can also manage lists of multiple DNS server IP addresses for a DNS suffix. Note: If you add the domain suffix of the Forefront UAG DirectAccess server, an exemption entry for the IP-HTTPS server will be added to the NRPT, to allow remote client connectivity.
- If you want to use the Forefront UAG DNS64
server IP address when resolving names ending with the DNS suffix,
click OK.
- Right-click an empty row, and then click New.
Alternately, you can double-click an empty row.
- To edit an entry in the NRPT, right-click the entry, and then
click Edit. Alternately, you can double-click the existing
entry. Edit the IP address, and then click OK.
- To delete an entry from the NRPT, right-click the entry, and
then click Delete.
- To add an entry in the NRPT:
-
Select a local name resolution option from the following:
- Only use local name resolution if the name
does not exist in DNS (most restrictive)—This is the most
secure option, because the DirectAccess client only sends DNS
queries to Internet-facing DNS servers for server names that cannot
be resolved.
- Fall back to local name resolution if the
name does not exist in DNS or the DNS servers are unreachable when
the client computer is on a private network (recommended)—This
option is recommended because it allows the resolution of names on
a separate internal network.
- Fall back to local name resolution for any
kind of DNS resolution error (least secure)—This is the least
secure option, because the names of internal network servers that
the DirectAccess client is attempting to resolve can be sent out to
Internet-facing DNS servers. This could result in an eavesdropper
between the DirectAccess client and the Internet-facing DNS server
determining the names of internal network servers.
- Only use local name resolution if the name
does not exist in DNS (most restrictive)—This is the most
secure option, because the DirectAccess client only sends DNS
queries to Internet-facing DNS servers for server names that cannot
be resolved.
-
Click Next. The Authentication Domains page appears.