Name resolution fails on some VPN clients using host names or NetBIOS names

Problem: Some VPN client may experience issues with name resolution, while both in or out of the quarantine network. The issue can be seen by attempting to PING a remote server by name only and the name can not be resolved to an IP address, resulting in a PING failure. However, the same PING test to a remote server using the Fully Qualified Domain Name (FQDN) works as expected.

Cause: This is usually the result of the VPN client not having a valid DNS suffix search list available. When a computer name is provided to Windows to be resolved, Windows will append the configured DNS suffixes to the server name in order and attempt to resolve them as a FQDN. If no suffixes are in place then a valid FQDN can not be constructed and name resolution fails.

Furthermore, when a DNS suffix is configured on the DHCP server, and ISA Server is configured to issue IP addresses to VPN clients, the only DHCP options that are received by the VPN clients are the DNS & WINS server addresses. No other DHCP options are sent to the VPN client.

Workaround: The ISA Server can be configured to run a DHCP relay agent to allow VPN clients to access the additional DHCP options, including the DNS suffix list. Full details of how to configure this are available on - ( Note: This article is applicable to ISA Server 2004 and 2006.

Alternatively, the DNS suffix settings can also be configured via Active Directory group policy. See Microsoft KB294785 ( for more information.

More information: When ISA Server issues the IP address to a VPN client it will also include the IP addresses of the WINS & DNS servers (if configured). After ISA Server issues the IP address to a VPN client, the VPN client will issue a DHCP Inform request in the form of a broadcast from its newly issued IP address. Note: This request is not part of the initial request for an IP address. However, ISA Server will drop the DHCP request packet it receives from the client (ISA is the destination for the broadcast in this case) as per the the default block rule. Installing a DHCP relay agent allows ISA to route the DHCP Inform broadcast request to the DHCP server, but requires a rule to allow the DHCP Request packets into the ISA Server. ISA will allow the request to leave the ISA Server, destined for the DHCP server, via the built in DHCP System Policy rule. The DHCP server will send the response directly to the IP address of the client as the Relay Agent preserves the actual client IP when forwarding the request to the DHCP server. Thus a second rule is required to allow the DHCP server to send the DHCP Reply directly back to the VPN client.

Future versions of VPN-Q may include the ability to configure the DNS suffix in the VPN client its self.


Have more questions? Submit a request


Please sign in to leave a comment.
Powered by Zendesk