This topic provides an overview of DNS requirementsForefront Unified Access Gateway (UAG) DirectAccess requires a DNS infrastructure for the following:
- DNS for DirectAccess clients—DirectAccess clients attempt to
connect to the network location server in order to determine
whether they are located on the Internet, or on the corporate
network: If the connection is successful, then clients are
determined to be on the intranet and DirectAccess is not used.
- If the connection is successful, then clients are determined to
be on the intranet and DirectAccess is not used. Client requests
are resolved using the DNS server configured on the network adapter
of the client computer.
- If the connection does not succeed, clients are assumed to be
on the Internet. DirectAccess clients will use the name resolution
policy table (NRPT) to determine which DNS server to use when
resolving name requests. You can use DNS64 to resolve names, or an
alternative internal DNS server. For more information about DNS64,
see Using
integrated NAT64 and DNS64 with Forefront UAG DirectAccess.
- If the connection is successful, then clients are determined to
be on the intranet and DirectAccess is not used. Client requests
are resolved using the DNS server configured on the network adapter
of the client computer.
- DNS for infrastructure servers—DNS intranet A records are
required for the following:
- The network location server. For more information see Network location
server.
- CRL distributions points. For more information, see Certificate revocation
checking.
- The DirectAccess server acting as an IP-HTTPS server. For more
information, about IP-HTTPS, see Using transition
technologies.
- The network location server. For more information see Network location
server.
- Resolution support for the the ISATAP name. For more
information about ISATAP, see Using transition
technologies.
NRPT
Windows Server 2008 R2 includes a NRPT that enables DNS servers to be identified per DNS namespace, instead of per interface. The NRPT consists of rules that define a DNS namespace, and DNS client behavior for that namespace. The following occurs when clients access resources with DirectAccess enabled:
- Clients request an FQDN or single-label name such as
http://internal. If a single-label name is requests, a DNS suffix
is appended to make an FQDN. By default the appended suffix is
based on the DirectAccess client domain. If a DNS suffix search
list is configured, those DNS suffixes will be appended to the
name.
- The requested FQDN is compared to the NRPT, as follows:
- If there is a match, and either DNS64 or an intranet DNS server
specified for the rule, the query is sent for name resolution using
the specified server.
- If there is a match, but no DNS server IPv6 address is
specified for the rule, then this indicates an exemption rule, and
normal name resolution is applied.
- If there is no match, normal name resolution is applied.
Queries are sent to the DNS server configured in the TCP/IP
settings of the client’s network adapter. In addition, if the
original name is a single-label name, use Link-Local Multicast Name
Resolution (LLMNR) and Network Basic Input/Output System (NetBIOS)
name resolution methods to resolve the name.If the original name is
a single-label name and the DNS query sent to NRPT rule-configured
DNS servers results in an error, use LLMNR and NetBIOS name
resolution methods based on the configured fall back behavior.
- If the original name is a single-label name and the DNS query
sent to NRPT rule-configured DNS servers results in an error, use
LLMNR and NetBIOS name resolution methods based on the fallback
local name resolution behavior.
- If there is a match, and either DNS64 or an intranet DNS server
specified for the rule, the query is sent for name resolution using
the specified server.
Local name resolution for single-name labels
When the original client request is for a single label name, and queries with appended DNS suffixes fail, you can specify that a local name resolution method be used. Local name resolution is not available when the original request was for an FQDN. You can configure local name resolution for single-name labels as follows:
- Only use local name resolution if the name does not exist in
DNS— With this option selected, local name resolution occurs if
the queried name does not exist in DNS. the most secure option,
because the DirectAccess client only sends DNS queries to
Internet-facing DNS servers for server names that cannot be
resolved.
- Fall back to local name resolution if the name does not
exist in DNS or the DNS servers are unreachable when the client
computer is on a private network —With this option, local name
resolution occurs if the name does not exist in DNS, or if the DNS
server cannot be reached when the client is on a private network
(where the client selected Home or Work, and not Public, for their
network type.
- Fall back to local name resolution for any kind of DNS
resolution error—This option specifies that local name
resolution is used if any type of DNS query error occurs, including
for clients located on a public network. This is the least secure
option, because the names of internal network servers that the
DirectAccess client is attempting to resolve can be sent out to
Internet-facing DNS servers. This could result in an eavesdropper
between the DirectAccess client and the Internet-facing DNS server
determining the names of internal network servers.
NRPT exemptions
Some names must be treated differently to others with regard to name resolution; these names must not be resolved using intranet DNS servers. To ensure that these names are resolved with interface-configured DNS servers, you must add them as NRPT exemptions.
If no DNS server addresses are specified in the NRPT rule, or by selecting the Do not use an internal DNS server for the specified server or suffix option in the DNS Suffixes page of the wizard, the rule is an exemption. If a DNS name matches a rule in the NRPT that does not contain addresses of DNS servers or does not match a rule in the NRPT, the DirectAccess client sends the name query to interface-configured DNS servers.
If any of the following servers have a name suffix that matches an NRPT rule for the intranet namespace, that server name must be an NRPT exemption:
- WPAD servers.
- Network location servers.
- Intranet certificate revocation list (CRL)
distribution points.
- All quarantine and system health remediation
servers.
These servers must always be resolved with interface-configured DNS servers.
Populating the NRPT
You configure the NRPT in the DirectAccess Server Configuration Wizard. You add namespaces such as server names or DNS suffixes, and specify how queries for the namespace should be resolved with one of the following methods:
The NRPT allows DirectAccess clients to use intranet DNS servers, or the Forefront UAG DirectAccess server when integrated DNS64 is configured, for name resolution (dedicated DNS servers are not required). Forefront UAG DirectAccess is designed to prevent the exposure of your intranet namespace to the Internet.
- Use the Forefront UAG DirectAccess DNS64 server IP address when
resolving names for the suffix or server. For more information
about DNS64, see Using integrated NAT64
and DNS64 with Forefront UAG DirectAccess.
- Use an alternative IPv4 or IPv6 intranet DNS server to resolve
names.
- Create an exemption by specifying that an internal DNS server
should not be used for a specific suffix or server.