XAUTH DNS problem

  • I have asked this before, but need help again (sorry) :oops:

    I have got a NS25 using XAUTH (Radius) and everthing is working perfectly on dialup VPN except dns.

    I have set up an ip pool that is on a different subnet as suggested by Flo before and the vpn client receives all the correct DNS/WINS and ip address from the pool above when it connects.

    but dns on the client isnt working properly. I can connect by ip address but thats not really what I need. I did have this working (but forgot to make the route command on the server persistant and now it isn’t there) - Anyone have any ideas? I have tried this on the main DNS server on the network

    route add -p (this is the other subnet for VPN clients) mask (this is the trusted interface on the NS25)

    Thanks! 🙂

  • Have you configured xauth remote dns as well as xauth default dns?

  • I have been in contact with JTAC engineers about this problem as I have now got DNS working fine - but only on modem dialup, my home computer with adsl XAUTH DNS fails :?

    We have tried many different things and they think that my model adsl modem is incompatible with the Virtual Adapter. They have suggested I try a different model / brand of ADSL modem.

    Does anyone have any recommendations? What adsl modems do you know that work properly with the XAUTH DNS / NS Remote.


  • Hi Yiming,

    Nice to see you again… Just got time in my vacations to ans this one…

    Yiming, in this case you will not be able to resolve any name resolution locally in your own LAN when VPN is activated, and hence it will block your Non-VPN traffic to a halt.

    Now the user have to think, does he want to be disconnected from Local LAN when connected to the VPN.

    For Mike,
    I personally have not tried on machines without NIC card but i have seen some cases where a USB card for broadband was not working at all with NSR.

    Naveen Dhar. :shock:

  • Hi All:

    I encounted the problem since netscreen introduce os4.0 with xauth.
    after several try, I find a convient way to solve it !
    beside the normal vpn connection(if the name is office), add another connection profile (say blockdns) below the office connection.
    edit blockdns profile

    • change action to block
    • change protocol to udp
    • change port name from all to dns
    • change port to 53
      3: besure keep the id type as “ip address” and ip is
      4:save setting

    so when you make vpn tunnel and successed, the first dns query
    will use the dns server that local nic configed, but this query
    will be blocked by the profile(blockdns) we configed, so system will treat
    the dns server busy or died, then system will try another dns
    server that configed on the netscree-remote adapter, since the
    dns ip locate on the subnet that vpn protected, so the query will
    pass through the vpn, and get the correct dns reply, that all.


  • Hi Naveen, life is good 😉

    I added the dns to local nic and dns works across vpn (at last!) so thankyou for that! However I take it that this is a flaw in NSR 8.4 and the next question is this - What can you do if the machine doesn’t have a local NIC card?! Because I have tested this and it will not work without a local nic and dns entered as suggested.

    I guess I have to wait until the new version is released?



  • Engineer

    snoop filter ip DNS-SRV-IP
    snoop on
    and then post debug buffer

  • Hi ssiruuk,
    How is life ??? 😉

    About your issue, normally it is the behavior of NSR client that it will check the local defined DNS on NIC card first, then only it will request to X-auth supplied DNS… Have you defined DNS servers for your Local LAN on the NIC card ???

    Are they able to resolve these names ???

    Also is your Remote party identity subnet containing the DNS IP or else the DNS request will be dropped… and not send over VPN

    Naveen Dhar. :shock:

  • The issue I have is that although Xauth is giving out correct internal dns for our network - dns isnt working across vpn. I checked the route command is on the dns servers on the network, but I can still only ping or communicate with devices on the network by ip address not buy dns name.

    I will check to see if debug flow basic shows up the dns request as you suggested.

    What should the correct route command be? Just to make sure thats not the problem?



  • Engineer

    No you don’t need to define dns in this way. I do not understand exactly your issue. I was just speaking of a DNS in the PHYSICAl subnet of the remote client … nothing with IPpool.

    Weel coming back at your issue, do you see the incoming DNS request from your remote host (debug flow basic) ?
    To quickly check if you have a route issue, enable NAT in your incoming VPN rule. If the route issue is confirmed, then add correct route on your DNS server. Don’t forget the -p to make it persistent

  • No I don’t Florent, the two DNS servers on the network are in the subnet (mask is

    Do I need to setup a DNS server in the subnet for vpn clients?



  • Engineer

    Do you have any local dns server whici is part of the same subnet as the physical interface of the vpn client. (typically adsl router used as dns proxy)