This topic describes how remote DirectAccess clients determine how DNS suffix queries are resolved by intranet DNS servers, and how to select a local name resolution method.

The Name Resolution Policy Table (NRPT) stores a list of DNS namespaces and corresponding configuration settings that define the DNS client’s behavior for that namespace. When a DirectAccess client is remote, each name query request is compared against namespaces stored in the NRPT. If there is a match, the request is processed according to the settings in the NRPT entry for that namespace.

If a name query request does not match a namespace in the NRPT, it is sent to DNS servers configured in the TCP/IP settings for the specified network interface, for example, to an Internet DNS server configured through your Internet service provider (ISP).

Warning:
When force tunneling is configured, all DNS queries will be resolved using the method configured in the Force tunneling page of the Forefront UAG DirectAccess Configuration Wizard.

Certain names must not be resolved using the intranet DNS servers. To ensure that these names are resolved with the DNS servers configured in the TCP/IP settings, you must add them as NRPT exemptions. If no DNS server addresses are specified in the NRPT entry, the entry is an exemption. If a DNS name matches an entry in the NRPT that does not contain addresses of DNS servers, the DirectAccess client sends the name query to the DNS servers specified in the client’s TCP/IP settings.

Note:
If any of the following servers have a name suffix that matches an NRPT entry for the intranet namespace, that server name must be an NRPT exemption:
  • WPAD servers

  • Network location servers (Automatic)

  • All quarantine servers

These servers must always be resolved with the DNS servers specified in the client’s TCP/IP settings.

To identify DNS servers

  1. In the Infrastructure Servers section of the wizard, on the DNS Suffixes page, follow these instructions to add, edit, or delete entries in the NRPT.

    1. To add an entry in the NRPT:

      1. Right-click an empty row, and then click New. Alternately, you can double-click an empty row.

      2. In the Name Resolution servers used by DirectAccess dialog box, select DNS suffix, or Specific Server, and then enter a DNS suffix, or a specific server.

        • If you want to use the Forefront UAG DNS64 server IP address when resolving names ending with the DNS suffix, click OK.

          Note:
          This is the default option, and is used in most cases.
        • If you want to create an exemption entry, click Do not use an internal DNS server for the specified server or suffix, and click OK.

        • If you want to use another DNS server IP address when resolving names ending with the DNS suffix, click Other DNS server IPv4 or IPv6 address, click Click here to add, and enter the IP address of the internal DNS server. Click Validate, to confirm that the DNS servers are running and reachable from the Forefront UAG DirectAccess server, and if the validation is successful, then click OK.

          Note:
          You can also manage lists of multiple DNS server IP addresses for a DNS suffix.
          Note:
          If you add the domain suffix of the Forefront UAG DirectAccess server, an exemption entry for the IP-HTTPS server will be added to the NRPT, to allow remote client connectivity.
    2. To edit an entry in the NRPT, right-click the entry, and then click Edit. Alternately, you can double-click the existing entry. Edit the IP address, and then click OK.

    3. To delete an entry from the NRPT, right-click the entry, and then click Delete.

  2. Select a local name resolution option from the following:

    • Only use local name resolution if the name does not exist in DNS (most restrictive)—This is the most secure option, because the DirectAccess client only sends DNS queries to Internet-facing DNS servers for server names that cannot be resolved.

    • Fall back to local name resolution if the name does not exist in DNS or the DNS servers are unreachable when the client computer is on a private network (recommended)—This option is recommended because it allows the resolution of names on a separate internal network.

    • Fall back to local name resolution for any kind of DNS resolution error (least secure)—This is the least secure option, because the names of internal network servers that the DirectAccess client is attempting to resolve can be sent out to Internet-facing DNS servers. This could result in an eavesdropper between the DirectAccess client and the Internet-facing DNS server determining the names of internal network servers.

  3. Click Next. The Authentication Domains page appears.